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S. 2145, “THE SPY BLOCK ACT” 


TUESDAY, MARCH 23, 2004 

U.S. Senate, 

Subcommittee on Communications, 
Committee on Commerce, Science, and Transportation, 

Washington, DC. 

The Subcommittee met, pursuant to notice, at 2:30 p.m. in room 
SR-253, Russell Senate Office Building, Hon. Conrad Burns, Chair- 
man of the Subcommittee, presiding. 

OPENING STATEMENT OF HON. CONRAD BURNS, 

U.S. SENATOR FROM MONTANA 

Senator Burns. We will call the Committee to order. Thank you 
for coming today as we look at another problem we face in the 
world of Internet. In the world of worms and viruses, you’d think 
this would be the Ag Committee but it’s not. Cookies and implants, 
you can put that it in any committee. But today’s hearing concerns 
a topic of critical importance to the future of consumer privacy and 
electronic commerce in the digital age, and I refer to the flood of 
spyware, which has been increasingly burrowing itself into con- 
sumers’ computers, often without their knowledge. 

I’m pleased to benefit from the hard work and expertise of my 
friend. Senator Wyden. We’ve worked together on many issues and 
I look forward on working with him on this one. We passed CAN 
SPAM, which after 4 years finally became law, and we may be a 
little bit ahead of the curve whenever we start talking about the 
subject that we’re visiting about today. I’m convinced that spyware 
is potentially an even greater concern than junk e-mail, given its 
invasive nature. 

I appreciate the support of another one of my colleagues on the 
Committee who has been an ardent defender of consumers’ rights 
online, and of course, that’s Senator Boxer of California. Together 
we have crafted legislation aimed at ending the insidious operation 
of spyware, and it is the SPY BLOCK Act of 2004. 

Spyware refers to the software that is downloaded onto users’ 
computers without their knowledge or consent. It’s a sneaky way 
of software that is often used to track the movements of consumers 
online and even steal passwords. The porous gaps of spyware cre- 
ates in a computer’s security may be difficult to close. 

For example, one popular peer-to-peer file sharing network rou- 
tinely installs spyware to track users’ information and retrieves 
targeted banner ads and pop-ups. As noted by the recent article in 
PC Magazine, these file sharing networks may be free, they may 
be free but at the cost of privacy and not money. 

( 1 ) 
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Of the 60 million users, few know that they are being watched, 
and those who discover spyware, uninstalling it may prove to be 
difficult other than the software programs. Some spyware includes 
tricklers. Now we’ve got a new word in vocabulary now, tricklers, 
which reinstall the files as you delete them. Users may think that 
they are getting rid of the problem, but the reality of the situation 
is far different. 

So creators of spyware have engineered the technology so that 
once it is installed on a computer, it is difficult and sometimes im- 
possible to remove, in some cases requires the entire hard drive to 
be erased to get rid of the poisonous product. Such drastic meas- 
ures may be taken, because often spyware tells the installer what 
websites the user visits, it steals the passwords or other sensitive 
documents on a personal computer, and also redirects Internet traf- 
fic through certain websites. 

One of the most disturbing aspects about the spyware problem 
is that so few consumers are aware of it. Bearing this in mind, the 
SPY BLOCK bill relies on a common sense approach, which pro- 
hibits the installation of software on consumers’ computers without 
notice, consent, and reasonable uninstall procedures. The notice 
and consent approach which SPY BLOCK takes would end the 
practice of so-called drive-by downloads, which some bad actors use 
to secretly download programs onto users’ computers without their 
knowledge. 

Under SPY BLOCK, software providers must give the consumers 
clear and conspicuous notice that a software program will be 
downloaded in their computers and requires user consent. This 
simple provision could be fulfilled by clicking yes in the dialogue 
box, for example. 

SPY BLOCK also requires notice and consent from other types 
of software. In the case of adware, another here we got, providers 
are required to tell consumers what types of ads will pop up on the 
users’ screens and at what frequency. Consent is required for soft- 
ware that modifies user settings or uses distributed computing 
methods by utilizing the processing power of individual computers 
to create larger networks. 

And finally, software providers must allow for their programs to 
be easily uninstalled by users after they are downloaded. As with 
CAN SPAM law, enforcement authority would be given to the Fed- 
eral Trade Commission. The state’s attorney general would also 
take action against purveyors of spyware, and it also empowers the 
users. 

Clearly, the right balance must be reached between punishing 
bad actors and not impeding legitimate e-commerce. I am open to 
discussing with my colleagues ways to craft this legislation as to 
capture the truly malicious offenders. Make no mistake about it. 
The intent of SPY BLOCK is to bring back a little truth in adver- 
tising. Clearly, accountability needs to be brought to bear on this 
issue. 

I’m anxious to hear exactly how using the unique brands of trust- 
ed companies to redirect consumers to their commerce sites is a le- 
gitimate business practice. While I understand this may be ex- 
plained as a high-tech form of contextual marketing, I am very 
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leery on the broad types of questionable business practices that 
could be legitimized by this line of thinking. 

Working closely with my good friends, Senator Wyden and Sen- 
ator Boxer, I’m confident that we can make major progress on this 
legislation before spyware infects a critical mass of computers and 
renders them useless. Just trying to keep up with the latest anti- 
spyware software imposes a tremendous cost to business, let alone 
individuals who have to spend their time online worried about the 
next spyware infestation. 

I look forward to hearing the testimony today and I appreciate 
our witnesses, and now Senator Wyden. And thank you so much 
for your good help. 

STATEMENT OF HON. RON WYDEN, 

U.S. SENATOR FROM OREGON 

Senator Wyden. Thank you, Mr. Chairman. It’s great to have a 
chance to team up with you. I think once again we’re showing that 
work in this area clearly can be bipartisan and we have gone this 
way on a host of initiatives. It’s great to team up with you and 
then, of course, to have Senator Boxer, who’s such an articulate 
and strong advocate, not just of consumers, but the technology sec- 
tor. To have her with us as well is a great pleasure. 

You said it very well and I’m just going to make a couple of quick 
comments. In fact, Mr. Chairman, if I could. I’ve got a longer state- 
ment and I’d like to have that placed in the record. 

Senator Burns. Without objection. 

Senator Wyden. Mr. Chairman, it just seems to me what is going 
on here is that snoops and spies are really trying to set up base 
camp in millions of computers across the country, and what we are 
in effect saying is that the owners of computers in this Nation 
ought to have control over what software gets placed on that com- 
puter. It really is just that simple. That really belongs to the com- 
puter user, and so what you have is in effect all these sneak, covert 
kinds of programs that are really trying to take those rights away 
from the owners of computers around the country. It seems to me 
that this will ensure that computer owners have knowledge and 
control over what gets placed on their computers, and given the so- 
phistication of people who try to take advantage of the public, it 
seems to me that this is important legislation to move on now. 

In effect, what these individuals who are engaging in this activ- 
ity that we think is violative of the computer owners’ rights, what 
they are doing is they’re acting as parasites, they’re acting as peo- 
ple who would put parasites on computers, put unwanted software 
that can burrow in and install itself on a hard drive where it pro- 
ceeds to use the computer and the Internet connection for its own 
purposes. And as you have noted, the owner of the computer fre- 
quently doesn’t know the intruder is there and very often has no 
way to get rid of it once he or she finds out. 

So I think as we go forward in this debate, for those who may 
have reservations about this and want to oppose it, I want them 
to answer the central question. How can it be that those who own 
computers and have access to the Internet shouldn’t have that 
treated as private property? That is what this is really all about. 
You don’t get opportunities to come into somebody’s home without 
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their knowledge and permission, and you shouldn’t expect others to 
be able to take advantage of you in the kind of way that these 
parasites and snoops and spies are doing. 

I think we’ve written this bill carefully. I’d like to put into the 
record an editorial from the New York Times that I think makes 
an important point in the sense that it’s important not to write the 
definitions of what we’re going to be doing to protect the consumer 
in too narrow a fashion. The Center for Democracy and Technology 
has done some very good work in terms of trying to ensure we have 
enough flexibility in those definitions so as to address the issue in 
a responsible way, and I’d very much like to have the editorial from 
the New York Times warning about the danger of making sure that 
you don’t write this bill in too narrow a fashion put into the record. 

I think this is a good bill and the fact that you and I and Senator 
Boxer have a chance to team up on it means that we can make this 
a priority even though this session is short, and I hope that we will 
be able to move it quickly to the full committee. 

Senator Burns. Thank you. Senator Wyden, and I do too. I share 
your concerns. It’s my computer, it is private property, I bought it 
and paid for it, and for my use only, not some leech. Senator Boxer. 

STATEMENT OF HON. BARBARA BOXER, 

U.S. SENATOR FROM CALIFORNIA 

Senator Boxer. Mr. Chairman, I couldn’t top that, I really 
couldn’t. I am so pleased to work with you and Senator Wyden and 
our staffs have worked together and I’m proud to be on the SPY 
BLOCK Act, and I’d ask unanimous consent that my full statement 
be placed in the record. 

Senator Burns. Without objection. 

Senator Boxer. And I will summarize it very briefly. If we saw 
someone with a binoculars looking in someone else’s window, we’d 
call the cops, and I think that in many ways what we’re doing is 
very similar to that, but it’s even worse than looking in a window. 
It’s really getting into someone’s head and someone’s life. 

So this is really important, it’s very important, and I do hope we 
can prevail and get this done pretty quickly. You know, it is a pro- 
consumer bill, but I want to say to my colleagues it’s also a pro- 
industry bill in my opinion. We’re going to have people say it isn’t, 
but it is, because I got news for you. If people think that they’re 
being spied upon, they’re going to use that computer a lot less than 
they normally would, and we’re going to have people running away 
from using their computer just because this is America and we 
don’t like that. 

So I think what we’re doing is pro-consumer but it’s pro-business 
as well. And basically the rest of my statement goes into how it’s 
very important to clearly talk about software, not just spyware, 
and that’s what we try to do in the bill so people can’t say, well, 
my definition doesn’t fit to what you’re doing. We want to make 
sure we cover everybody and that this bill is really going to do the 
job that it set out to do. 

So again. I’m very pleased to be with you in this fight and I hope 
we can get it done. And I’m going to be running out for a minute 
and coming back to hear the testimony and look forward to our 
partnership on this. 
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[The prepared statement of Senator Boxer follows:] 

Prepared Statement of Hon. Barbara Boxer, U.S. Senator from California 

Mr. Chairman, thank you for holding this hearing. Last month, I joined you and 
Senator Wyden in introducing the “SPY BLOCK Act” (S. 2145). Our legislation is 
designed to address increasing concerns that I have heard coming from California 
and other states over “spyware.” 

Spyware, and other types of software called “Adware,” are delivered into the 
homes and offices of consumers and onto their computers often without their knowl- 
edge and consent. 

These invisible snoops follow consumers everywhere they go on the Internet and 
they bombard consumers with targeted pop-up ads. 

Our bill simply says that software makers, including spyware makers, cannot 
sneak into your computer. Specifically, the SPY BLOCK Act prohibits the installa- 
tion of software without notice and consent of an authorized user. Additionally, the 
software must provide clear procedures to uninstall the software and must be capa- 
ble of being completely and easily removed. 

The most common objection to the bill we have heard is that it should focus only 
on “spyware.” But as this hearing will show, nobody thinks the software they 
produce IS spyware. 

The reason the legislation targets software is because the people who produce 
spyware will always try to define themselves out of the category by claiming that 
their particular software is not spyware. By applying common principles of con- 
sumer rights for all software, we deal with the spyware problem and enhance con- 
sumer rights on the Internet more broadly. 

Mr. chairman, I am proud to work with you on this issue and look forward to 
working with the witnesses here today to make the legislation as effective as pos- 
sible. 

Senator Burns. Thank you, Senator Boxer. We’ll keep you up to 
date. 

Senator Boxer. I’ll be right back. 

Senator Burns. OK. We’d ask our witnesses to come to the table 
now. We have Mr. Avi Naider, President and CEO of WhenU.com 
Inc. from New York; Mr. Robert Holleyman, President and CEO of 
Business Software Alliance, we worked a lot with that group of 
people and with extreme pleasure; Mr. Jerry Berman, President of 
the Center for Democracy and Technology, and, of course, if there 
has been a man who has been around the Internet any longer than 
this man then they had to come before dirt almost, Jerry, so thank 
you for coming today. 

Mr. Berman. Are you talking about my age or my expertise? 

Senator Burns. Both, I think. And Dr. John Levine, President 
and CEO of Taughannock Networks from up in New York, and we 
appreciate you coming today too and I’ll try and get that networks 
pronunciation down much better so I’ll have to apologize for that. 

We’ll start with you, Mr. Naider, if you’re ready, and we look for- 
ward to hearing your testimony. 

STATEMENT OF AVI Z. NAIDER, PRESIDENT AND CHIEF 
EXECUTIVE OFFICER, WHENU.COM, INC. 

Mr. Naider. Good afternoon, Mr. Chairman and Members of the 
Subcommittee. I thank you for the opportunity to appear before 
your Subcommittee as it examines the issues surrounding spyware. 
I am Avi Naider, President and Chief Executive Officer of 
WhenU.com. WhenU is an online contextual marketing company. 
WhenU makes software that recognizes the immediate interests of 
an online consumer and automatically displays highly pertinent 
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coupons and advertisements in response to the consumers’ ex- 
pressed interest. 

Consumers visiting the Staples website who have WhenU soft- 
ware might be presented with a coupon to save $30 off a $150 pur- 
chase at Staples. Consumers researching a trip to London who 
have WhenU software might be shown a pop-up with a special $99 
fare on British Airways. This is why we named the company 
WhenU. It provides you with relevant and timely information when 
you shop online, when you travel to London, and so on. 

Our software presents information to consumers that is targeted 
and timely. At the same time, our software aggressively protects 
consumer privacy. In the past, targeted marketing in the U.S. has 
been enabled by collecting information about households and indi- 
vidual consumers into large data bases. These data bases are re- 
plete with information about who we are, what we buy, how afflu- 
ent we are, and lots of other personal information. 

We started WhenU because we believe that targeted marketing 
can be done without collecting personal information about con- 
sumers and building profiles. WhenU does not have a database of 
consumers or any consumer profiles at all. Instead, our software 
uses a proprietary directory of the Internet that categorizes various 
indicators of consumer interest and delivers precisely targeted mes- 
sages that inform the consumer’s decisionmaking process. 

The software does all this without sending individual consumer 
activity back to WhenU. WhenU’s software-based advertising is a 
promising technology that begins to fulfill the potential of the 
Internet as a rich, personalized, one-to-one marketing and informa- 
tion delivery experience. We believe that WhenU software and 
other methods of contextual marketing are likely to emerge as en- 
gines of major growth for the Internet in the future. 

The WhenU desktop advertising network represents millions of 
consumers who have installed WhenU software on their computers. 
Typically, consumers download WhenU contextual marketing soft- 
ware as part of a bundle that contains free popular software. De- 
velopers of such free software rely on the revenue generated by 
companies like WhenU often as their sole or primary revenue 
model. They view WhenU as win-win technology that offers con- 
sumers free coupons, relevant advertising, and free software, all 
while protecting consumer privacy. 

WhenU software is anything but spyware. WhenU follows a 
strict privacy policy, and in addition, respects the principles of con- 
sumer choice in the following ways. The consumer always receives 
a clearly visible notice that WhenU software is part of a download. 
The consumer is given easy access to a clear and concise license 
agreement that he must affirmatively accept to proceed with the 
installation of WhenU software. 

WhenU-generated ads, offers, and coupons are boldly and con- 
spicuously branded by WhenU, and WhenU software is easy to 
uninstall. WhenU fully supports the principles underlying the SPY 
BLOCK Act. We also favor further and detailed study of the com- 
plex issues presented in order to enable Congress to craft an effec- 
tive national legislative solution. 

Many of the legislative issues currently proposed, both at the 
state and the Federal level, are either overly broad or lack the nec- 
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essary nuance to address the problem effectively, and yet still allow 
promising technology to develop. As a result, they potentially regu- 
late or even restrict consumer-friendly, privacy-protective, and 
mainstream software, while failing to protect consumers against 
software that truly threatens privacy and security. 

Ironically, carelessly-worded spyware legislation that lacks nu- 
ance will do more to promote the spyware problem than solve it. 
Because if legitimate advertising models that truly give choice to 
consumers are lumped in with nefarious software that intends to 
deceive, rogue and unscrupulous companies who play by no rules 
and adhere to no standards of consumer protection will be given 
the upper hand in the marketplace, and this outcome would be dev- 
astating. 

On the other hand, carefully worded and nuanced legislation can 
set standards for the online industry and serve as a beacon for the 
marketplace and for advertisers looking to use legitimate tech- 
nologies that can reach their target consumers. We believe that the 
proceedings today and the FTC workshop to be held in April will 
produce a detailed record that will undoubtedly help inform future 
legislative efforts. 

We look forward to continuing to work with you, Mr. Chairman 
and the members of the subcommittee to develop a comprehensive 
and effective solution to this pervasive problem. Thank you. 

[The prepared statement of Mr. Naider follows:] 

Prepared Statement of Avi Z. Naider, President and Chief Executive 
Officer, WhenU.com, Inc. 

Introduction 

Good afternoon, Mr. Chairman and members of the Subcommittee. I thank you 
for the opportunity to appear before your Subcommittee as it examines the issues 
surrounding “spyware.” I am Avi Naider, President and Chief Executive Officer of 
WhenU.com, Inc. (“WhenU”). 

WhenU and the Evolution of Contextual Marketing on the Internet 

WhenU is an online contextual marketing company. Our software delivers infor- 
mation about products and services to consumers online at the moment that infor- 
mation is most relevant to them. WhenU addresses an age-old problem: consumers’ 
lack of access to potentially valuable market information when they need it most. 
Although consumers are inundated on a daily basis with information of all sorts, 
including offers from advertisers, the value of such information is reduced because 
it is not shown to the consumer at the right moment in time. WhenU’s software de- 
livers highly pertinent coupons and advertisements based on consumers’ immediate 
interests, as reflected in their immediate Internet browsing activity, yet is highly 
protective of consumer privacy. 

Contextual marketing technology as developed by WhenU evolved naturally from 
the decades old, multi-billion dollar database marketing industry, which at its core, 
relies on behavioral targeting of consumers. Database marketing has been used for 
years by numerous companies to analyze individual consumers’ past purchasing be- 
havior in an attempt to determine what discounts and offers would be most attrac- 
tive to those consumers in the future. For example, American Express tracks and 
analyzes the purchasing behavior of its credit card holders and uses the information 
gleaned from such analysis to mail potentially pertinent offers to such consumers. 

More recently, companies have advanced the field of behavioral marketing by de- 
ploying new technology-driven solutions. For instance, Catalina Marketing has de- 
veloped technology that links to the point-of-sale (POS) systems of many grocery 
stores and analyzes the purchases of individual consumers as they are scanned by 
the cashier. Based on the particular products purchased by the consumer, targeted 
offers and incentives for competing products are then immediately printed for the 
consumer (typically on the back of his or her grocery store receipt). 

Software-based contextual marketing technology as developed by WhenU is a fur- 
ther evolution in the field of behavioral marketing. Whereas traditional database 
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marketing companies, and even innovators such as Catalina Marketing, analyze a 
consumer’s past and current purchases to predict what the consumer will purchase 
in the future, software-hased online marketing technology assesses the activity of 
the consumer in real time, at the very moment the consumer is researching a cer- 
tain product or category of products on the Internet. Essentially, WhenU’s tech- 
nology utilizes the unique capabilities of the Internet environment to offer the con- 
sumer information that might assist him or her in making a purchase decision be- 
fore the decision is made, at a time when the information is most useful. Imagine 
that while you are looking in a store window at a new DVD player, someone ap- 
proaches you with an offer to get a DVD player at a better price at a store down 
the street. WhenU’s technology allows the same thing to happen millions of times 
per day by providing consumers with offers to purchase all types of goods and serv- 
ices on the Internet. 

The Internet by its very nature enables real-time contextual marketing in a ro- 
bust and scalable manner. Since the Internet is a medium in which all activity is 
transmitted electronically, WhenU software can scan the Internet browsing activi- 
ties of a participating consumer to determine his or her immediate interests, and 
connect thousands of advertisers and millions of participating consumers with the 
right advertisement or coupon when it is most relevant to the consumer. WhenU’s 
software effectively provides consumers with comparative advertising that presents 
them with a choice. The idea behind the WhenU software was to revolutionize tar- 
geted marketing from the old model in which interests are deduced based on who 
a consumer is and what their personal information is, to a new software-based sys- 
tem that focuses on actual interests as reflected in their Internet browsing activity- 
when you shop, when you travel, when you invest. In fact, that’s why we named 
the company WhenU. “When you” are about to book a trip to London, WhenU soft- 
ware will deliver a relevant offer to you. 

Best of all, WhenU is able to deliver precisely targeted advertisements that are 
highly relevant while at the same time protecting consumer privacy. From the be- 
ginning, consumer privacy has been important to WhenU. WhenU does not collect 
any personally-identifiable information. The WhenU software does not track user 
data, does not use cookies to track consumers, does not track users’ clickstream 
data, does not create anonymous user profiles, and does not compile a centralized 
database of users. All of the activity takes place on the user’s computer (or “desk- 
top”). The only information that is transmitted back to WhenU is information that 
allows us to show advertisements and coupons to the consumer and make sure the 
offers we do show are shown at the moment that they are likely to be most useful 
to the consumer. We are proud of our privacy policy and explain it in detail on our 
website. 

WhenU’s software represents a significant departure from the way advertising on- 
line initially started. In general, early methods of online advertising were not able 
to deliver on the promise of the Internet as a rich, personalized consumer contact 
point. Poorly targeted e-mails, banner ads, and non-contextual pop-ups have yielded 
click through rates of less than one percent (1 percent), and millions of wasted ad- 
vertiser dollars. To leverage the full power of the Internet and continue to develop 
the Internet into the kind of rich revenue-generating medium it should be, adver- 
tisers have begun to understand that successful online advertising must take advan- 
tage of the Internet’s unique potential to deliver targeted and relevant advertising 
in response to what consumers are looking for. 

As an example, paid online search, a model promoted currently by companies such 
as Yahoo! and Google, represented as little as 3 percent of the online advertising 
market in the year 2000, but this year is expected to reach 37 percent as advertisers 
recognize the power of delivering relevant ads to consumers seeking specific prod- 
ucts. When U believes that software-based advertising will similarly emerge as an 
engine of major growth for the Internet in the future, as advertisers and consumers 
continue to experience the power and richness of software as a medium for deliv- 
ering highly targeted and useful information and advertising online. 

WhenU’s Desktop Advertising Network 

The WhenU Desktop Advertising Network represents millions of consumers who 
have installed the WhenU software on their computers. Typically, consumers 
download the software as part of a package, or “bundle,” of software that enables 
consumers to get popular software for free. Software companies routinely bundle 
revenue-generating, advertising software (known as “adware”) with free software 
programs (known as “freeware”) to enable them to offer the freeware to consumers 
at no cost. In some instances, software developers might give consumers the choice 
between paying for the software or agreeing to receive ads from WhenU in exchange 
for getting the software for free. Developers of such free software applications rely 
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on the revenue generated by software companies like WhenU to enable them to con- 
tinue to offer their software free of charge. In any event, consumers are given a 
clear notice and choice whether or not to download WhenU software. 

Once downloaded, the WhenU software (called SaveNow, or Save!, but referred to 
generally as SaveNow) resides on the consumer’s computer and generates advertise- 
ments through the use of a proprietary directory that is delivered to and saved on 
the consumers’ desktop when the consumer installs the software. This proprietary 
directory is compiled and updated by categorizing the Internet in much the same 
way as a local Yellow Pages indexes merchants into various categories. 

As a participating consumer “surfs” the Internet, the SaveNow software studies 

g age content, keywords, web addresses, and search terms from the consumer’s web 
rowser to determine whether any of those terms, web addresses and/or content 
match the information in the directory. If the software finds a match, it identifies 
the associated product or service category and determines whether an appropriate 
advertisement for that category is available to be displayed, subject to timing and 
frequency restrictions contained in the software. 

With the WhenU software, it is ultimately the consumer who drives whether a 
particular element will be included in the WhenU directory, because the directory 
is intended to contain terms that reflect the interests of the consuming public. Simi- 
larly, it is the user’s actions on his or her desktop that ultimately determine wheth- 
er an advertisement is eligible to be seen. Since its founding in February 2000, 
WhenU has delivered online marketing for more than four hundred advertisers, in- 
cluding such well known companies as Priceline, British Airways, Delta Airlines, 
JPMorgan Chase, Kraft, Cingular, Ford, and ING Bank. 

In short, WhenU provides a useful and privacy-protective opt-in service to partici- 
pating consumers, provides a revenue model for popular free software, and contrib- 
utes to the development of the Internet-enabled desktop as a comparative shopping 
medium. 

What is Spyware? 

“Spyware” generally refers to software that appears harmless but, once 
downloaded, operates differently than its stated functionality, such as by stealing 
or transmitting personal data about the consumer and his or her browsing habits, 
keystroke data, or clickstream behavior. Spyware also can refer to software that 
sneaks onto user’s computers, masks its operations once it has been installed on the 
computer, and is nearly impossible to uninstall. Sometimes programs that are sur- 
reptitiously downloaded onto user’s computers and show ads whose source is not 
easily identifiable are referred to as spyware. 

WhenU has sometimes been accused of being “spyware.” It is not surprising that 
some people who do not understand the WhenU technology think that it is invasive 
to privacy how else, they wonder, can it alert a consumer to a discount hotel site 
when that consumer is looking at hotel rates in Washington, D.C.? However, prop- 
erly understood, WhenU’s unique proprietary technology cannot be considered 
sp3rware. WhenU’s software-based advertising model respects the principles of con- 
sumer choice and consumer privacy, in three distinct ways. 

First, regardless of the method of distribution, during the installation process, the 
consumer always receives a prior notice that SaveNow is part of the download. To 
proceed with the installation of SaveNow, the consumer must affirmatively accept 
a clear and concise license agreement. The license agreement explains that the soft- 
ware generates contextually relevant advertisements and coupons, utilizing “pop-up” 
and various other formats. 

Second, once a user has installed the SaveNow software, it is easy for a user to 
identify what the WhenU software does. WhenU makes the ads, offers and coupons 
served by WhenU easy to identify. Ads on the WhenU Desktop Advertising Network 
are displayed in a separate, WhenU-branded window, including the marks “Save!” 
or “SaveNow”, depending on the particular download partner, and other elements 
specially included in the WhenU window. In addition to WhenU’s unique branding, 
every \^enU offer also contains a notice on its face that: “This is a WhenU offer 
and is not sponsored or displayed by the websites you are visiting.” And, with 
WhenU’s highly-protective privacy policy, users do not have to be concerned about 
privacy, since no personal information is transmitted to or collected by WhenU. In 
fact, WhenU’s strict privacy policy far exceeds current standards in the Internet ad- 
vertising industry. 

Finally, after accepting a license agreement and downloading the software, con- 
sumers can easily remove or “uninstall” the software from their computers if they 
no longer wish to keep it. Every ad shown by WhenU contains inks to further infor- 
mation about the software and information about how to uninstall it. In addition, 
these links also allow consumers to easily contact WhenU by e-mail for more infor- 



10 


mation. The software can be easily uninstalled through the computer’s Control 
Panel Add/Remove Programs menu, the standard process used for uninstalling most 
Windows-based software. Once properly uninstalled, the WhenU software will cease 
to operate or show advertisements or coupons on the consumer’s computer. 

The Threat of Spyware and the Solutions to Spyware 

Spyware is a serious problem affecting millions of computer users every day. If 
the spyware problem continues to grow, unabated, it may deter computer users from 
the Internet and slow the creation and dissemination of new and innovative soft- 
ware programs available to users from the Internet. 

As discussed above, WhenU is very different from “spyware.” But notwithstanding 
these significant differences, WhenU is often swept in with software that threatens 
user security and privacy. That is why we believe that it is necessary and desirable 
for Congress and the FTC to regulate this area in order to protect consumers from 
sp3rware and protect the development of the Internet as a rich and promising me- 
dium. 

Current efforts being employed to address consumer concerns are helpful, but 
they typically fail to get at the real problems presented by spyware. For instance, 
the marketplace is replete with “anti-sp3rware” software, but many of these software 
programs are indiscriminate in their identification of so-called “spyware” and, as a 
result, often identify benign programs or even files such as cookies, which are com- 
monly employed by Internet websites to identify users who have accessed the site 
previously. Moreover, most of these programs prompt users to uninstall any soft- 
ware identified as spyware or as a threat. As a result, consumers may be prompted 
to unknowingly uninstall software that is far from nefarious and that they or an- 
other member of their household quite deliberately installed. Users may even have 
paid for software they are prompted to uninstall, or they may be required to keep 
such software to support free software that they have also installed. If marketplace 
solutions unduly burden the revenue model that software providers rely on to con- 
tinue to offer their software for free, it will discourage the creation and distribution 
of free software, and force consumers to have to pay for such programs. 

At the same time. State legislative solutions are being proposed to respond to the 
growing menace of spyware, but many of these proposed solutions suffer from the 
same problems created by “anti-spyware” software: They inadvertently regulate or 
even restrict consumer-friendly, privacy-protective and mainstream software while 
failing to protect consumers against software that truly threatens consumer privacy 
and security. They are also subject to the concerns of local businesses and may not 
address the problem from a national perspective. As a consequence, these solutions, 
such as the one recently proposed and passed by the legislature in Utah, are gen- 
erally ineffective and overly broad. 

WhenU is in favor of Federal efforts to combat spyware, and fully supports the 
principles behind the SPY BLOCK Act. As per our practice, WhenU believes that 
users should receive notice about any application before they download it, should 
be required to affirmatively accept a clear license agreement that discloses the na- 
ture of the application and its functionality, should be presented with information 
that identifies the source of every window that is generated by software on their 
desktop, and should be able to uninstall any software application through standard 
and easily accessible means. WhenU also is in favor of legislation that provides that 
the Attorney General, States Attorneys General and the FTC should be solely re- 
sponsible for implementing and enforcing its provisions. However, WhenU first sup- 
ports careful study and consideration of the problems surrounding spyware. How to 
combat “spyware” is a complex issue, and we believe the approach lawmakers 
should take to address the issue should be as nuanced as the problem itself. 

Ironically, carelessly worded spyware legislation that lacks nuance will do more 
to promote the spyware problem than solve it. If legitimate advertising models that 
truly give choice to consumers are lumped in with nefarious software that intends 
to deceive, rogue and unscrupulous companies who play by no rules and adhere to 
no standards of consumer protection will be given the upper hand in the market- 
place. And this outcome would be tragic. On the other hand, carefully worded and 
nuanced legislation can set standards for the online industry and serve as a beacon 
for the marketplace and for advertisers looking to use legitimate technologies that 
can reach their target consumers. 

We believe that the proceedings today and the FTC Workshop to be held in April 
will produce a detailed record that will undoubtedly help inform future legislative 
efforts. We look forward to continuing to work with you, Mr. Chairman, and the 
members of the Subcommittee, to develop a comprehensive and effective solution to 
this pervasive problem. Thank you. 
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Senator Burns. Thank you very much. Robert Holleyman, thank 
you for coming today, Software Alliance. 

STATEMENT OF ROBERT W. HOLLEYMAN II, PRESIDENT AND 
CEO, BUSINESS SOFTWARE ALLIANCE (BSA) 

Mr. Holleyman. Mr. Chairman, Senator Wyden, it’s indeed a 
pleasure to be here this afternoon testifying on behalf of the mem- 
ber companies of the Business Software Alliance. Our organization 
works for leading developers of personal computer software, enter- 
prise software, our key hardware partners and Internet technology 
developers on public policy issues in the United States, where we’re 
headquartered, and in more than 65 countries around the world. 

I am delighted to be able to talk with you today about options 
to provide the best way to protect consumers from the problems as- 
sociated with spyware. At the Business Software Alliance, we ap- 
plaud the intent of the SPY BLOCK Act that you have introduced 
along with Senators Wyden and Boxer. 

This afternoon I’d like to make three key points. First, computer 
snooping or spying on computer users is reprehensible behavior 
that invades our privacy. However, the problem is with bad behav- 
ior, not bad software tools or products. 

Second, for this very reason. Congress should ban only the be- 
havior and not the technology. And third, we believe that the bill 
as introduced can be enhanced by focusing more directly on pun- 
ishing such behavior. Doing so would accomplish the current intent 
of the bill without placing Congress in the position of approving or 
disapproving technologies. 

Indeed, Mr. Chairman, you and the other Members of this Com- 
mittee have been leaders in adapting laws to the information age. 
You’ve done so carefully, deliberately, and in a well thought out 
fashion. We agree fully that we need to stop e-spying and that it 
will harm the consumer experience in using their computers and 
the Internet. It is wrong and it should be stopped. 

But it’s also essential that we recognize that the problem comes 
from bad people, bad actors, not from bad products. That same un- 
derlying technology that can enable spyware also may power many 
legitimate applications that benefit millions of computer users 
every day. 

Mr. Chairman, I feel like I’m preaching to the choir. Last year 
Congress stopped unwanted telemarketing, not telephones. You 
canned SPAM by criminalizing fraudulent conduct, not by banning 
commercial e-mail. And in the 1990s, you wisely recognized it was 
unwise to try to ban encryption technology, choosing instead to 
focus on those who might use encryption to commit crimes. 

Your Committee and the Congress as a whole has wisely and 
consistently avoided technology mandates. You understand that the 
U.S. technology industry and our own leadership in high-tech inno- 
vation are crucial to America’s economic future. 

We appreciate the author’s clear intent to protect legitimate soft- 
ware from being swept into the bill and you’ve done so through a 
series of definitions and exceptions that the bill employs. However, 
at the same time, the BSA feels that these definitions can be 
fraught with peril in the current software environment, especially 
as new technological developments occur. 
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As an alternative, we suggest that the Congress focus on the 
most egregious practice of commercialization of information from 
electronic spying. Congress should prohibit the distribution of user 
information obtained electronically from an individual’s computer 
unless one of two tests are met. Either the person seeking to sell 
the information must show that it was collected with the user’s 
permission or that it was obtained from an entity that collected the 
information with such permission. 

Such an approach would achieve the main objective of stopping 
e-spying while significantly avoiding the tough definitional issues 
and their implications for the future development of technology. 

With respect to enforcement, we agree that the FTC should be 
given primary responsibility. The FTC should treat violations as an 
unfair or deceptive activity under the FTC Act. We also believe 
that the Justice Department should be authorized and empowered 
to subject those who violate the legislation to criminal fees and im- 
prisonment under Title 18 of the United States Code. That would 
send a clear message that the commercialization of information 
from electronic spying will not be tolerated. 

However, we think that state attorneys general should be given 
enforcement authority in this area only if we have a Federal stand- 
ard. Remote access electronic spying through spyware is a national 
problem and we think it should be treated as such. 

I’d like to thank you again, Mr. Chairman, for the opportunity 
to talk today on the issue of spyware and the SPY BLOCK bill. We 
believe that working together this bill can be enhanced to directly 
and effectively address the issue we’re all most concerned about, 
electronic spying. The BSA is eager and willing to work with you 
and the other members of the Committee in that regard, Mr. 
Chairman. Thank you for this opportunity to testify. 

[The prepared statement of Mr. Holleyman follows:] 

Prepared Statement of Robert W. Holleyman II, President and CEO, 
Business Software Alliance (BSA) 

Good morning. Thank you very much for the opportunity to testify here today. My 
name is Robert Holleyman and I am President and CEO of the Business Software 
Alliance (BSA).i 

BSA represents the world’s leading developers of software, hardware and Internet 
technologies both in the U.S. and internationally. Our mission is to educate com- 
puter users on software copyrights and cyber security, advance public policy that 
fosters innovation and expands trade opportunities, and fight software piracy. We 
are headquartered in Washington, D.C., and are active in over 66 countries inter- 
nationally. 

It is a pleasure to be with you today to discuss a serious issue of consumer protec- 
tion: protecting millions of computer users from those who secretly install software 
on computers in order to obtain information about those users. Such software goes 
by the name of “spyware.” That is clearly the intent of the SPY BLOCK Act (S.2145) 
introduced by Chairman Burns and Senators Wyden and Boxer. It is also the intent 
of the Safeguard Against Privacy Invasions Act (H.R. 2929) introduced by Rep- 
resentatives Bono and Towns. 


^The Business Software Alliance (www.bsa.org) is the foremost organization dedicated to pro- 
moting a safe and online world. The BSA is the voice of the world’s software and Internet indus- 
try before governments and with consumers in the international market place. Its members rep- 
resent the fastest growing industry in the world. The BSA members include: Adobe, Apple, 
Autodesk, Avid, Bentley Systems, Borland, Cisco Systems, CNC Software/Mastercam, HP, IBM, 
Intel, Internet Security Systems, Intuit, Macromedia, Microsoft, Network Associates, PeopleSoft, 
RSA Security, SolidWorks, Sybase, Symantec, UGS PLM Solutions Inc. and VERITAS Software. 
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Mr. Chairman, you and the other members of this Committee have been leaders 
in adapting our laws to the information age — carefully and deliberately, with a scal- 
pel not a saw. This morning I would like to make three points. 

First, computer snooping, or spying on computer users, is a reprehensible practice 
that invades our privacy. However, the problem is with bad behavior, not bad soft- 
ware tools or products. 

Second, for that reason Congress should continue to ban the behavior not the 
technology. The problem is with abuse, not use, of technology. 

Third, we believe the bills as introduced can be improved by focusing more di- 
rectly on punishing the behavior rather than the means by which it is accomplished. 
Such an approach enables Congress to avoid having to make very difficult decisions 
about the design and operation of technology. 

Stop E-Spying 

We agree with the members of this Committee, other Members of Congress, and 
the public who rightfully complain about those who hijack computers. There is no 
policy rationale to justify the actions of those who secretly insert a computer pro- 
gram into someone’s PC in order to collect information about that individual or his 
or her computer habits. It is, pure and simple, an invasion of our privacy. It is 
wrong and it should be stopped. It is also a national problem and needs a national 
solution. 

Clearly some of these invasions of privacy are intended to, and do, cause economic 
harm. Someone might be trying to gain insider business information or corporate 
secrets. Others might be engaged in identity theft — a practice that is estimated to 
cost American consumers more than $50 billion each year. But electronic snooping 
is no less invasive if the information is being gathered “only” for marketing or re- 
search purposes. 

Ban Behavior Not Technology 

It is essential that we recognize that the problem comes from bad people, not bad 
products. The same underlying technology that can enable sp 3 rware also may power 
many legitimate applications that benefit millions of computer users everyday. 

Let me put it a different way. We don’t ban crowbars because some people use 
them to break into houses. We don’t ban cars because some people use them to flee 
from a crime. And last year Congress did not ban telephones because some people 
use them to make unwanted marketing calls. Instead, Congress addressed the offen- 
sive behavior and established procedures to control telemarketing. 

Mr. Chairman, I feel like I am preaching to the choir. The Commerce Committee 
has been a leader in appl 3 dng this principle to developing computer technologies. 

Just last year you moved aggressively and appropriately to “CAN-SPAM.” That 
legislation criminalized fraudulent conduct and established clear rules for legitimate 
business to follow. It made it illegal to access a computer without authorization and 
use it to send out bulk unsolicited commercial electronic mail or to hide or falsify 
information about the sender or subject matter of spam. The Act also required the 
inclusion of a functioning return e-mail address and a prohibition on sending mes- 
sages to recipients who opt not to receive them. It also addressed more “aggravated 
violations” such as the use of harvested addresses or the automated creation of mul- 
tiple electronic mail accounts. But what the bill did not do is to get in the way of 
the continued development of innovative technological solutions to combat spam and 
protect consumers. 

Mr. Chairman, this committee also successfully applied this principle during the 
encryption battles of the 1990s. You understood well that it was pointless to try and 
ban a technology prevalent around the world. Your “PRO-CODE” bill in 1996 pro- 
hibited the government from designing and mandating encryption standards and 
promoted the use of commercial encryption. At the same time, you also agreed with 
Senator Leahy in his legislation, as well as the House bill introduced by Representa- 
tives Goodlatte and Lofgren (the “SAFE” Bill), that it was unlawful to use 
encryption in the commission of a crime. 

Even the Communications Decency Act of 1996 (Title V of the Telecommuni- 
cations Act of 1996), which among other things sought to address the problem of 
on-line pornography and minors, did not ban the then emerging “interactive com- 
puter service.” Instead the Act criminalized the use of such a service to send or dis- 
play obscene and indecent content to those under 18. The Act also established a de- 
fense for those who in good faith took reasonable, effective and appropriate actions 
to restrict or prevent access by minors (including technological means to do so — ) 
but precluded the FCC from endorsing, approving, sanctioning or permitting par- 
ticular products. 
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This built on the underlying approach of the 1984 Computer Fraud & Abuse Act 
which has been amended many times since to expand and strengthen its criminal 
and civil penalties against computer abusers. This statute penalizes those who ac- 
cess a computer without appropriate authorization and cause broadly defined dam- 
age. This statute addresses both those who trespass in cyberspace for commercial 
gain as well as those who seek to cause harm by launching computer viruses. In- 
deed, one possible solution to the problem of electronic snooping would be to make 
illegal the act of commercializing information obtained through surreptitious means. 

Why has Congress consistently prohibited conduct not technology? Why has Con- 
gress refrained from interfering with the marketplace by dictating the design or op- 
erations of computers and consumer electronics? 

Congress has wisely avoided technology mandates because you understand that 
the U.S. technology industry is the envy of the world. It has been responsible for 
incredible improvements in productivity, millions of jobs, billions of dollars in ex- 
ports, and immense benefits to every consumer. Government intervention that re- 
places marketplace solutions with governmental decisions endangers America’s tech- 
nolo^ leadership and hurts users of technology products by stifling innovation, 
freezing in place particular technologies, impairing product performance, and in- 
creasing consumer costs. 

Focus and Improve The Legislation 

We believe the pending legislation should be changed to focus even more clearly 
on what we are trying to stop, not the technology tools to do so. We also think that 
the most immediate, concrete and compelling problem is electronic spying — the un- 
authorized acquisition and use of information from individuals. 

Currently the SPY BLOCK bill has numerous definitions, requirements and ex- 
emptions which involve making technical decisions about the operations of today’s 
computers — as well as the direction of future technology. The bill: 

• attempts to define computer software, cookie, install; network information; in- 
formation collection feature, advertising feature, distributed computing feature, 
and settings modification feature; 

• in the case of advertising, distributed computing, and settings modification fea- 
tures requires descriptions of how those features will operate on, and with, a 
particular computer ie.g., “the nature, volume of information or messages, and 
the likely impact on the computer’s processing capacity of any computational or 
processing tasks the computer software will cause the computer to perform 
. . .”) ; 

• directs certain technical uninstall operations; and 

• necessarily seeks to exempt “any feature of computer software that is reason- 
ably needed to provide capability for general purpose online browsing, electronic 
mail, or instant messaging . . . determine whether or not the user of computer 
is licensed or authorized to use the computer software and provide technical 
support for the use of the computer software by the user of the computer.” 

We believe the problems inherent in such an approach can be avoided if Congress 
instead focuses directly on the behavior we are trying to stop: the unauthorized ac- 
quisition and commercialization of information. 

We suggest that Congress simply prohibit the distribution in interstate commerce 
of user information obtained electronically from an individual’s computer, unless the 
person seeking to sell the information can show that it was collected with user’s ex- 
plicit permission or that it was obtained from an unaffiliated entity that represents 
it had collected the information with such permission. Such an approach signifi- 
cantly mitigates the definitional issues in the bill as introduced — and their implica- 
tions for the development and use of technology — while achieving the objectives of 
the legislation. 

We also believe that what the bill calls advertising, distributed computing, and 
settings modification features should not be included in this legislation. None of 
these issues has risen to the same level of concern or been examined nearly as much 
as electronic spying. Each of these areas also raises separate and distinct sub- 
stantive and political issues. 

For example, having just spent nearly a year implementing legislation to control 
spam, we are concerned that additional legislation on advertising at this point 
would detract from the current focus on spying. We also think it is worthwhile to 
more closely examine existing laws that address deceptive advertising and business 
practices. Similarly, the case of distributed computing raises new questions. We un- 
derstand the concern about “zombie” machines utilized without consent — as opposed 
to the enthusiastic voluntary participation of tens of thousands in the search for ex- 
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traterrestrial intelligence (the SETI project). But the concept of “grid computing” is 
just emerging as a serious commercial enterprise and we would be hesitant to cas- 
ually address it in this bill. Finally, we believe the area of settings as well as their 
modification is integrally related to on-going efforts to address cybersecurity con- 
cerns. Once again, we would be reluctant to address those issues in this bill. As 
many of the Committee’s members know, BSA has been extremely active in efforts 
to making computing safer and more secure. BSA was one of the hosts and cospon- 
sors of the Department of Homeland Security Cybersecurity Summit last December 
and throughout this month we are announcing the significant results from private 
sector efforts initiated at the summit. 

More generally, we note that each of these areas may also be amenable to techno- 
logical and business practices. We think Congress should be careful not to preclude 
the evolution of tools and marketplace solutions. 

With respect to enforcement, we agree that the FTC should be given primary re- 
sponsibility. The FTC should treat violations as an unfair or deceptive act under the 
FTC Act. We understand that other regulatory agencies may have enforcement re- 
sponsibility in other areas. 

We also believe that the Department of Justice should be authorized and empow- 
ered to subject those who violate the legislation to criminal fees and imprisonment 
under Title 18 of the United States Code. We should send a clear message that en- 
gaging in electronic spying is reprehensible and will not be tolerated. 

However, we think that the State Attorneys General should be given enforcement 
authority in this area only if we have a Federal standard. Remote access electronic 
spying through “spyware” is a national problem. We think it should be treated as 
such. The obvious problems with empowering State Attorneys General in the ab- 
sence of a Federal standard is the prospect for many different enforcement actions 
based on many different theories and many different standards. 

Conclusion 

Thank you again for this opportunity to comment on the issue of “spyware” and 
the SPY BLOCK bill. Working together, I believe the bill can be improved to more 
directly and effectively address the issue we are all most concerned about: electronic 
spying. 

Senator Burns. Thank you. We appreciate that very much. Now 
Jerry Berman, President of the Center for Democracy and Tech- 
nology, and welcome Mr. Berman. 

STATEMENT OF JERRY BERMAN, PRESIDENT, THE CENTER 
FOR DEMOCRACY & TECHNOLOGY 

Mr. Bfrman. Thank you. Senator and Senator Burns, Senator 
Wyden, again, you are in the forefront of trying to protect privacy 
and user control of their computers on the Internet and we applaud 
you, hoth for your earlier efforts on hehalf of trying to pass general 
privacy legislation, which I think is also involved in this issue, and 
also to try and craft a bill to deal with this very pernicious prob- 
lem. 

But I want to caution that before we rush to judgment we need 
Federal intervention here. We don’t need a plethora of state stat- 
utes, but we really have to spend a little time, take a deep breath, 
and try and define what we’re after here, because if we’re over- 
broad and include all computer software, I think it will be a night- 
mare to carve out the exceptions of what we’re really worried 
about, and spyware has been defined very broadly. Your bill begins 
to carve down and deal with the real problems. 

But in all of these cases, they may be over inclusive and only 
talk about privacy when the problem may be broader than that and 
go beyond privacy to whether, as you point out, consumers can con- 
trol their own computers and whether they’re being hijacked, and 
that doesn’t fit under this, quote, spyware, it’s something bigger 
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than that. And I think we’ve got to put some of this terminology 
around and not get confused by it. 

I agree with Mr. Holleyman that we need to step back and say, 
what is the behavior that we’re worried about here, what gets us 
upset about software which performs functions which is being 
downloaded on your computer when you click on an ad, when you 
go and get a free service like Kazaa or in a peer-to-peer network 
or through e-mail or just by browsing on the Internet. Suddenly 
software is being downloaded on your computer and it is per- 
forming certain functions. What is the behavior that’s being per- 
formed by specific software, not all software but specific software 
that we care about? 

One, I give you three categories. One is software of spyware, if 
you like, that is collecting information, personal information from 
you on your site without notice or consent at all and delivering it 
to another party. That’s a clear snoopy privacy violation and it ap- 
plies to keystroke loggers and a whole bunch of other technologies, 
but rather than focus on the technology, focus on the behavior. 

The second category is information that is being collected about 
you and delivered to another site or to another person with inad- 
equate notice and consent. They’re saying, you consented, you 
clicked on the site, it popped up an end user licensing agreement 
six pages long, somewhere in there it said you’re consenting to re- 
ceive ads, you’re consenting to give us information, and as part of 
your Web browsing experience someone clicked on it, maybe your 
son clicked on it at night, my son clicked on it at night and now 
a software program is resident in my computer that’s collecting in- 
formation and sending it to another party. I don’t think that we 
need to deal with inadequate notice and consent. 

There’s a third category which goes beyond spyware and privacy 
altogether. It goes into user control over computer. If I don’t have 
enough notice and consent and I am now — resident on my com- 
puter is a program that’s popping up ads, they may not collect in- 
formation, but if I don’t really transparently deal with that com- 
pany when I click and download that software, and I now have a 
computer that’s serving up ads and I may not know anything about 
it, someone in my family may have clicked on it, but if I agreed 
to that, is it popping up and letting every user in that family agree 
to it? 

There’s this third category where your computer’s being hijacked. 
They take over your Web browsing experience. We have just filed 
a complaint at the Federal Trade Commission about a company 
that you click, you download the software, it opens up your disk 
drive, it pops up a note and says your computer lacks a lot of secu- 
rity and it advertises on your Web page for spy block and it’s Spy 
Wiper and it’s saying you need to buy this software. That is pri- 
vacy, that’s hijacking my computer, and it almost amounts, I think, 
to computer fraud and abuse under the computer fraud and abuse 
statute. 

Which brings us — all of this behavior — I want to cut my testi- 
mony short but say, if we define the behaviors, then we can begin 
to pick at several different solutions bases. What needs to be cov- 
ered by general privacy legislation? It would be interesting to only 
cover spyware when the notice and collection of information un- 
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fairly applies to websites too and other outliers. Why don’t we go 
back to principle one? 

The second issue is we need to look at what — is our Federal 
Trade Commission complaint going to work? If it is, or the com- 
puter fraud and abuse statute applies or ECBA applies, we need 
to sort that out so we’re not duplicating and creating another law. 

Beyond that, we need to look at how technology being offered by 
AOL and Earthlink allows us to sweep spyware. It’s a combination 
again, as in the spam area. We need legislation, we need tech- 
nology, we need industry practices, but we need to come together 
and help define that problem. That’s why we’ve written a report, 
that’s why we have a working group, that’s why we’re here today, 
that’s why we’re going to the Federal Trade Commission on April 
9. 

That’s enough for now. I’m anxious to work with all of you to try 
and resolve this issue. Thank you. 

[The prepared statement of Mr. Berman follows:] 

Prepared Statement of Jerry Berman, President, 

The Center for Democracy & Technology 

Mr. Chairman and members of the Committee, the Center for Democracy & Tech- 
nology (CDT) is pleased to have this opportunity to speak to you about the growing 
threat to consumers and Internet users posed by spyware and other invasive or de- 
ceptive software applications. 

CDT is a non-profit, public interest organization dedicated to preserving and pro- 
moting privacy and other democratic values and civil liberties on the Internet. CDT 
has been deeply engaged in the policy debate about the issues raised by so-called 
“spyware.” In November, 2003, CDT released a report “Ghosts in Our Machines: 
Background and Policy Proposals on the ‘Spyware’ Problem,” ^ providing background 
on the spyware issue, evaluating policy and other solutions, and presenting advice 
for Internet users about how to protect their personal information and their com- 
puters from these programs. At the same time, CDT launched our public “Campaign 
Against Spyware,” calling for Internet users to send us descriptions of the problems 
they have encountered with these invasive applications.^ CDT is also engaging in 
in-depth meetings with the wide range of stakeholders in the sp 3 rware issue, includ- 
ing ISPs, software companies, and consumer groups. 

The proliferation of invasive software referred to as “spyware” is a large and rap- 
idly growing concern. These deceptive applications compromise users’ control over 
their own computers and Internet connections, and over the collection and sharing 
of their personal information. We praise the chairman and this Committee for hold- 
ing this hearing on S. 2145 — the SPY BLOCK Act — and thereby bringing public at- 
tention to this serious and complex issue. 

In our testimony today, we hope to address three principal questions: 

• What is “spyware?” The term spyware is extremely difficult to define precisely, 
and can itself be misleading. The term has been used to describe a wide and 
diverse range of software. What these programs have in common is a lack of 
transparency and an absence of respect for users’ ability to control their own 
computers and Internet connections. 

• How bad is the problem? It is difficult to precisely quantify the damage caused 
by these invasive applications — but it is clear that the problem is severe. 
Spyware is widespread and can threaten privacy, security, and computer per- 
formance. Even the less invasive forms of spyware can seriously inconvenience 
users and impose serious strains on the technical support resources of schools 
and legitimate businesses. 

• How can we respond to the problem? Responding to the problem of sp 3 rware re- 
quires a multifaceted approach. 

° Existing law could go a long way toward reducing the problem of spyware. 

While longstanding fraud statutes already cover many of the issues raised by 


^httpit ! www.cdt.org ! privacy 1 031100spyware.pdf 
^http:! / www.cdt.org ! action / spyware 
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these applications, currently they are rarely enforced against spyware pro- 
grammers and distributors. We encourage Congress to provide law enforce- 
ment with the necessary resources to understand the phenomenon of sp3rware 
and to bring to bear strong enforcement of these laws. 

° Fundamental to the issue of spyware is the overarching concern about online 
Internet privacy. Legislation to address the collection and sharing of informa- 
tion on the Internet would resolve many of the privacy issues raised by 
spyware. We look to Congress to seize this important opportunity to address 
this larger issue. If we do not deal with the broad Internet privacy concerns 
now, in the context of spyware, we will undoubtedly find ourselves confronted 
by them yet again when they are raised anew by some other, as yet unantici- 
pated, technology. 

° To be effective, legislation and enforcement approaches will have to be carried 
out concurrently with better consumer education, industry self-regulation and 
the development of new anti-spyware technologies. 

Le^slation directed at some of the specific issues raised by software — such as 
notice and consent for installation — may also have a role to play. While crafting 
such legislation will be difficult, the SPY BLOCK Act demonstrates the progress 
that has already been made in our understanding of the spyware problem. The 
bill plays a critical role in advancing the inquiry about spyware and developing 
approaches to addressing the issue. 

We address each of these questions in more detail in turn below. 

I. Understanding and Defining Spyware 

No precise definition of spyware exists. The term has been applied to software 
ranging from “keystroke loggers” that capture every key typed on a particular com- 
puter; to advertising applications that track users’ web browsing; to programs that 
hijack users’ system settings. In some cases, it has even been applied to web cookies 
or system update utilities designed to provide security patches directly to users. 
Spyware programs can be installed on users’ computers in a variety of ways, and 
can have widely differing functionalities. 

What the growing array of invasive programs have in common is a lack of trans- 
parency and an absence of respect for users’ ability to control their own computers 
and Internet connections. The debate over precisely how to define the term spyware 
(as well as other related terms such as “malware” or “adware”) has been conten- 
tious, in some cases even leading to legal threats between companies.^ But this se- 
mantic dispute diverts attention from the underlying question: Are consumers of- 
fered meaningful notice and choice about the programs installed on their computers 
and the ways in which their computers and Internet connections are used? 

The most egregious forms of spyware (sometimes called “snoopware” to distin- 
guish them from other categories) are typically stand-alone programs installed in- 
tentionally by one user onto a computer used by others. Some capture all keystrokes 
and record periodic screen shots, while others are more focused, collecting lists of 
websites visited or suspected passwords. These programs have legal uses (e.g., for 
certain narrow kinds of employee monitoring) as well as many clearly illegal ones. 

The more widespread spyware problem is that of applications installed on Inter- 
net users’ computers in the course of browsing online or downloading other unre- 
lated software. Users are typically unaware that these programs are being installed 
on their computers. Many “piggyback” on other free applications, such as screen sav- 
ers, system utilities, or peer-to-peer filesharing programs. In many cases, the only 
notice to the user about installation of such a secondary program is buried in a long 
and legalistic “end user licensing agreement.” In some instances, no notice of the 
bundling is provided at all. Other programs trick users into authorizing installations 
through deceptive browser pop-ups, or exploit security holes to install themselves 
automatically when a user visits a particular website. In some instances, once a pro- 
gram is installed, it begins to download and install other software with no notice 
to the end user. 

Spyware programs perform a variety of functions once they have gained access to 
a computer. Many track users’ web browsing and deliver pop-up advertisements. 
While there is nothing inherently objectionable about using advertising, including 
targeted advertising, as a means to support free software, advertising software must 
function in a way that is transparent to users, and users must have control over 
its installation and the ability to remove it. 


^See, e.g., Paul Festa, “See you later, anti-Gators,” CNET.com, October 22, 2003 (available 
at: http: 1 1 news.com.com 1 2100-1032 3-5095051.html) 
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Other spyware programs can change the appearance of wehsites, modify users’ 
“start” and “search” pages in their browsers, or change low level system settings 
without notif 3 dng users or obtaining their consent. Some will even co-opt users’ 
Internet connections to send out spam. Such software is often responsible for signifi- 
cant reductions in computer performance and system stability. 

Although much of the discussion about the spyware problem to date has focused 
on the privacy dimension of the issue, clearly many of these behaviors raise con- 
cerns beyond privacy. The term spyware itself can be misleading in some of these 
cases; arguably, a better term would be “trespassware.” 

Many spyware applications resist uninstallation. For example, advertising pro- 
grams that are originally installed as part of a “bundle” with other free software 
may not be removed when the main application is uninstalled. In some cases, 
spyware applications do not appear in the standard “Add/Remove” programs or 
other uninstallation feature of the system. In egregious instances, some programs 
reportedly even reinstall themselves after the user has made deliberate efforts to 
eliminate them. 

No single behavior of this kind defines “spyware.” However, together they charac- 
terize the transparency and control problems common to such applications. Dis- 
agreements will continue about whether particular applications do or not deserve 
this label. In the end, it may be best to think of spyware not as a discrete and well 
defined category, but as the bad end of a spectrum of software practices, ranging 
from industry hest practices for transparency, notice, and control on one end, to 
clearly deceptive and fraudulent behaviors on the other. Unfortunately, the resist- 
ance of spyware to easy definition makes writing legislation to address the problem 
difficult, as we discuss in detail in Section III below. 

II. Severity of the Spyware Threat 

It is difficult to quantify the spyware problem because of the definitional ques- 
tions mentioned above, and because the speed with which new spyware applications 
can appear and change makes reliable detection of the programs difficult. However, 
several indicators point toward the severity of the problem. 

Since CDT launched our public “Campaign Against Spyware” in November 2003, 
we received over 300 accounts of problems encountered with various spyware appli- 
cations. The sources of the responses demonstrate that the problem is pervasive — 
respondents included individuals dealing with the issue on corporate networks, on 
computers in schools, and on government networks. These users name a wide array 
of specific programs and identify several categories of concerns, including loss of pri- 
vacy, decreased stability, and the inability to use their computer, either because of 
barrages of pop-ups, or as a result of severely diminished performance. 

System administrators also responded to our “Campaign Against Spyware.” One 
of the biggest concerns raised by network administrators relates to the security 
holes created by these applications. Some spyware programs open major vulnerabili- 
ties by including the capability to automatically download and install additional 
pieces of code with minimal security safeguards. This capability is often part of an 
“auto-update” component.'^ 

Network administrators report that spyware is as much or more of a problem 
than spam, viruses, or other security maintenance. One administrator told us that 
as many as 90 percent of the computers on the networks he manages have been in- 
fected with some variety of “spyware.” Another technical support worker reported 
that the majority of the problems he encounters can be traced back to “spyware,” 
and that his first recommendation to correct stability or performance problems is 
to run one of the free sp 3 rware search and removal utilities available on the Inter- 
net. 

In our discussions with industry, CDT learned that invasive spyware applications 
also cause substantial harm to ISPs and distributors of legitimate software. In many 
cases, consumers are mistakenly led to believe that the problems resulting from 
sp 3 rware applications are a problem with another, more visible application or with 
their Internet provider. This confusion places a substantial burden on the support 
departments of providers of those legitimate applications and services. Not only are 
affected users required to pay for otherwise unnecessary technical support calls, but 
those calls impose significant costs on businesses offering the support. Some indus- 
try representatives we talked to estimated that the additional costs run in the mil- 
lions or tens of millions of dollars. 


"^See, e.g., Saroiu, Stefan, Steven Gribble, and Henry Levy. “Measurement and Analysis of 
Spyware in a University Environment” Proceedings of the First Symposium on Networked Sys- 
tems Design and Implementation, March 2004 (available at: http:! ! www.cs.washington.edul 
homes ! gribble ! papers ! spyware.pdf). 
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III. Responses to Spyware 

Combating the most invasive spyware technologies will require a combination of 
approaches. First and foremost, vigorous enforcement of existing anti-fraud laws 
should result in a significant reduction of the spyware problem. 

Addressing the problem of spyware also offers an important opportunity to estab- 
lish in law baseline standards for privacy for online collection and sharing of data. 
Providing these protections would not only address the privacy concerns that cur- 
rent forms of spyware raise, but would put in place standards that would apply to 
future technologies that might challenge online privacy. Anti-sp3rware tools, better 
consumer education, and self-regulatory policies are also all necessary elements of 
a spyware solution. 

Legislation to establish standards for privacy, notice, and consent specifically for 
software, such as the SPY BLOCK act currently before this Committee, may play 
an important role as well. The challenge to such efforts is in crafting language that 
effectively addresses the spyware issue without unnecessarily burdening legitimate 
software developers or unintentionally hindering innovation. We believe the current 
bill represents a major step forward, although several concerns still exist. 

So far the efforts to address the spyware issue are all in very preliminary stages. 
They will each require cooperation among government, private sector, and public in- 
terest initiatives. We discuss each approach in turn below. 

Enforcement of Existing Law 

CDT believes that three existing Federal laws already prohibit many of the 
invasive or deceptive practices employed by malevolent software makers. Better en- 
forcement of these statutes could have an immediate positive effect on the spyware 
problem. 

Title 5 of the Federal Trade Commission Act is most directly applicable to the 
most common varieties of spyware. We believe that many of the more invasive forms 
of spyware discussed above clearly fall under the FTC’s jurisdiction over unfair and 
deceptive trade practices.® To our knowledge, the FTC so far has not brought any 
major actions against spyware makers or spyware distributing companies. In Feb- 
ruary, CDT filed a complaint with the FTC against two companies for engaging in 
“browser hijacking” to display deceptive advertisements to consumers for software 
sold by one of the companies.® 

The FTC’s plans for a workshop in April on “Monitoring Software on Your PC: 
Spyware, Adware, and Other Software,” is an encouraging indication that the Com- 
mission is devoting greater attention to this issue. CDT hopes that the clear mes- 
sage emerges from this workshop that the FTC must take a more prominent role 
in addressing this issue. 

We believe that one of the most immediate ways in which Congress could have 
a positive impact on the spyware problem is by Erecting the FTC to increase en- 
forcement against unfair and deceptive practices in the use or distribution of 
downloadable software and by providing increased resources for such efforts. 

Several laws besides the FTC Act may also have relevance. The Electronic Com- 
munications Privacy Act (ECPA), which makes illegal the interception of commu- 
nications without a court order or permission of one of the parties, may cover pro- 
grams that collect click-through data and other web browsing information without 
consent. The Computer Fraud and Abuse Act (CFAA) also applies to some uses of 
sp3rware. Distributing of programs by exploiting security vulnerabilities in network 
software, co-opting control of users’ computers, or exploiting their Internet connec- 
tion can constitute violations of the CFAA, especially in cases where spyware pro- 
grams are used to steal passwords and other information. 

In addition to Federal laws, many states have long-standing fraud statutes that 
would allow state attorneys general to take action against invasive or deceptive soft- 


® Examples of clearly deceptive or unfair practices include: 

• installing unwanted applications without giving users notice in the end user license 
agreement or another form; 

• providing notice only in a license agreement that is misleading or unclear, leading con- 
sumers to think they are downloading one program when in fact they are downloading and in- 
stalling an application that does something completely different; 

• utilizing consumer resources such as computer power or bandwidth or that capture per- 
sonal information without consent; or 

• distributing programs that evade uninstallation. 

^Complaint and Request for Investigation, Injunction, and Other Relief, in the Matter of 
MailWiper, Inc., and Seismic Entertainment Productions, Inc., February 11, 2004 (available at 
http: I / www.cdt.org I privacy 1 20040210cdt.pdf}. 
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ware. Like their Federal counterparts, these laws have not been strongly enforced 
to date. 

New Legislation 

CDT has argued that the most effective way to address the spyware problem 
through legislation is in the context of online privacy generally. Specifically, we be- 
lieve that the privacy dimension of spyware would best be addressed through base- 
line Internet privacy legislation that is applicable to online information collection 
and sharing irrespective of the technology or application. CDT has advocated such 
legislation before the Senate Commerce Committee and in other fora. Until we ad- 
dress the online privacy concern, new privacy issues will arise as we encounter new 
online technologies and applications. 

At the same time, certain aspects of the spyware problem extend beyond the pri- 
vacy issues. Privacy legislation would not, for example, apply to software that com- 
mandeers computing resources but does not collect or share user information. A 
comprehensive legislative solution to spyware should address the user-control as- 
pects of the issue — piggybacking, avoiding uninstallation, and so on. 

The SPY BLOCK Act currently before this Committee represents an important 
first step towards addressing some of these problems. We appreciate the desire to 
craft targeted legislation focusing on some of the specific problems raised by 
sp3rware, and CDT applauds Senators Burns, Wyden, and Boxer for bringing atten- 
tion to these important questions. CDT strongly supports the goal of the SPY 
BLOCK Act — to assure that users are provided with meaningful notice and choice 
about the applications that run on their computers. 

At the same time, we wish to emphasize the complexity of such efforts. The broad 
industry opposition to an anti-spyware bill recently passed in the Utah legislature, 
based on potential unintended consequences of the bill for legitimate software com- 
panies, demonstrates the difficulties that can be introduced by such legislation if it 
is not carefully drafted.'^ 

Recognizing that development of appropriate standards for consumer software no- 
tice is still in preliminary stages, we suggest two areas of the SPY BLOCK Act that 
warrant further consideration and may require revision. 

• Standards for Notice — Providing consumers with informative, accurate notice is 
a challenging task. Ongoing efforts to craft “short notices” in the context of pri- 
vacy statements under the Gramm-Leach-Bliley Act both demonstrate the com- 
plexity of this problem and may provide a valuable model for the kind of notices 
that are appropriate in the context of downloadable software. Many so-called 
“spyware” applications already provide minimal notice to consumers buried in 
legalistic licensing agreements that come with bundled software. (Programs that 
do not provide even this level of notice are probably already illegal, as described 
above.) However, such minimal notice does not provide consumers the oppor- 
tunity to make meaningful and informed choices. To be effective, legislation will 
have to address the difficult issue of how best to ensure that the information 
that accompanies software is appropriately clear, distilled, and contextualized 
to allow users to make informed decisions. Simply requiring that programs list 
information prior to installation may not be enough. However, a bill that will 
burden users by prompting users for choice too often will not be effective either. 

• Scope — ^As currently structured, the SPY BLOCK Act covers almost all software, 
but provides specific exemptions for certain kinds of “general purpose” software 
and certain specific uses of information. CDT is concerned that this approach 
creates difficulties for software developers while imposing unrealistic burdens 
on legislators. This tack requires that legislators develop a comprehensive list 
of functions for which the requirements of the bill are not appropriate. Creating 
such a list for existing technologies is challenging in itself. Moreover, such a list 
will likely become outdated as soon as new technologies are developed, or as the 
categories defined in the law shift. CDT has argued that privacy laws should 
be neutral with respect to technologies, and we believe the same principle ap- 
plies here. 

We believe that valuable insight into the questions of scope and appropriate notice 
for consumer software are likely to emerge from ongoing industry and public inter- 
est efforts to define best practices, discussed below, and from the FTC’s April Work- 
shop in spyware. We encourage the Committee to incorporate the results of these 
efforts into refinements of the current bill. 


See, e.g., Ross Fadner, “Leading Internet Providers Oppose Passage of Spyware Control Act,” 

MediaPost, March 15, 2004 (available at: http:! I www.mediapost.com I dtls_dsp news.cfm?news 

10=242077) 
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Non-Regulatory Approaches 

Technology measures, self-regulation and user education must work in concert, 
and will be critical components of any sp3rware solution. Companies must do a bet- 
ter job of helping users understand and control how their computers and Internet 
connections are used, and users must become better educated about how to protect 
themselves from spyware. 

The first step is development of industry best practices for downloadable software. 
Although not all software manufacturers will abide by best practices, certification 
programs will allow consumers to quickly identify those that do and to avoid those 
that do not. In the current environment consumers cannot easily determine which 
programs post a threat, especially as doing so can involve wading through long and 
unwieldy licensing agreements. 

Technologies to deal with invasive applications and related privacy issues are in 
various stages of development. Several programs exist that will search a hard-drive 
for these applications and attempt to delete them. Some companies are experi- 
menting with ways to prevent installation of the programs in the first place. How- 
ever, even these technologies encounter difficulties in determining which applica- 
tions to block or remove. Clear industry best practices are crucial in this regard as 
well. 

Standards such as the Platform for Privacy Preferences (PSP) may also play an 
important role in technical efforts to increase transparency and provide users with 
greater control over their computers and their personal information. PSP is a speci- 
fication developed by the World Wide Web Consortium (WSC) to allow websites to 
publish standard, machine-readable statements of their privacy policies for easy ac- 
cess by a user’s browser. If developed further, standards like PSP could help facili- 
tate privacy best practices to allow users and anti-spyware technologies distinguish 
legitimate software from unwanted or invasive applications. 

The IT industry has initially been slow to undertake such efforts. However, in- 
creasing public concern about spyware and the growing burden placed on the pro- 
viders of legitimate software by these invasive applications has led to more industry 
attention on this front.® 

CDT believes Congress can have an immediate positive impact by encouraging in- 
dustry to continue to develop these efforts toward self regulation. 

IV. Conclusion 

Users should have control over what programs are installed on their computers 
and over how their Internet connections are used. They should be able to rely on 
a predictable web-browsing experience to remove for any reason and at any time 
programs they don’t want. The widespread proliferation of invasive software appli- 
cations takes away this control. 

Better consumer education, industry self-regulation, and new anti-spyware tools 
are all key to addressing this problem. New laws, if carefully crafted, may also have 
a role to play. Many spyware practices, however, are already illegal. Even before 
passing new legislation, existing fraud statutes should be robustly enforced against 
the distributors of these programs. 

The potential of the Internet will be substantially harmed if users come to believe 
that they cannot use the Internet without being at risk of “infection” from spyware 
applications. We must find creative ways to address this problem through law, tech- 
nology, public education and industry initiatives if the Internet is to continue to 
flourish. 

Senator Burns. Thank you, Mr. Berman. Dr. John Levine, thank 
you for coming today. 

STATEMENT OF DR. JOHN LEVINE, PRESIDENT AND CEO, 
TAUGHANNOCK NETWORKS, AND AUTHOR, THE INTERNET 
FOR DUMMIES 

Dr. Levine. Thank you, Mr. Chairman, Senators. I’m John Le- 
vine, I’m the president of Taughannock Networks, named after a 
local waterfall, and I’ve written a variety of hooks, including the re- 


^See, e.g., Earthlink press release: “Earthlink Offers Free Spyware Analysis Tool to All Inter- 
net Users,” January 14, 2004 (available at: http:! Iwww.earthlink.net ! about ! press ! 

pr analysis !)', America Online press release: “America Online Announces Spyware Protection 

for Members,” January 6, 2004 (available at: http: j ! media.aoltimewarner.com ! media ! 
newmedia / cb press view.cfm?release num=55253697). 



23 


cent, Fighting Spam for Dummies, which I hope CAN SPAM will 
soon make obsolete. 

Senator Burns. That’s just what I need. 

Dr. Levine. Well, this one’s for you. And I am the Chair or Co- 
Chair of a variety of grass roots organizations like the — I serve on 
the board of the Coalition Against Unsolicited Commercial E-mail 
and I Co-Chair the Anti-Spam Research Group, which is a tech- 
nical research group. 

But you’ve asked me to come today and talk about spyware, 
which I’m happy to do, because I happened to read the user mail 
sent to the Anti-Spam Coalition and every day I get mail from peo- 
ple saying spam is bad, but spyware is worse, how do I get rid of 
this junk? So although it has not been my primary interest in the 
past, it’s certainly one that’s coming up and one that’s very inter- 
esting for many of the same reasons related to privacy and con- 
sumer protection. 

I can divide spyware into a variety of sub-areas, which I think 
I don’t need to do, because in the previous comments it’s clear that 
everybody understands what they are. But I would like to back off 
and echo some of Mr. Berman’s comments that computers in every- 
day life, and the way they work and they way they integrate into 
people’s lives is very new and we don’t yet have laws and customs 
that describe how people react with software and if you have a 
computer which has some software from the vendor and some soft- 
ware from a website and some software from third parties, how 
they all react and what the experience for a computer user is. 

And it’s sort of as though, if somebody came and said, I have a 
great new business plan. I’m going to open up newspaper boxes 
and I’m going to stick my own ads in the paper and somebody says, 
you can’t do that. He says, of course I can, I paid 50 cents to get 
into the box. That kind of argument somewhat reminds me of some 
of the things I hear about spyware. It’s just like, well, you can do 
it, and down in paragraph 73 of some click-through agreement we 
said it was OK. 

I mean, to me, I see two issues. The first is an issue of consumer 
protection. With the adware that pops up ads and replaces ads in 
websites, consumers are completely confused. They don’t know 
where the ads are coming from. All they know is they don’t like 
them and they dislike ads that are popped up by websites that ac- 
tually place them, they dislike ads that are popped up by software 
like WhenU’s, they feel like they’re totally out of control and they 
don’t know whom to blame. So in that case there’s a real issue of 
consumer confusion. I think it’s a consumer protection issue. 

Beyond that, spyware presents a privacy problem because people 
click and say, yes, you can install your program and then it collects 
vast amounts of information very indiscriminately, and I have a 
bunch of scenarios in my written testimony. For example, if you are 
applying for a bank account online and a piece of spyware scrapes 
the data from that application and sends it off to the spyware ven- 
dor, the spyware vendor now knows enough about you to commit 
identify theft. Or if you are conferring with a close relative or with 
your doctor or with your lawyer, they can collect information to do 
anything from sending you bogus ads saying, oh forget that chemo- 
therapy for your tumor, we have apricot seeds, to blackmail. 
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These are enormous privacy issues and I think that we really 
need to step back and look at them as an overall issue of con- 
sumers and computers, and although the spyware issue is impor- 
tant, I think it’s just one step on the way to coming up with sort 
of a general privacy and consumer protection policy that will affect 
all the ways that vendors and consumers and computers inter- 
relate. 

I have some comments on the individual bill. It’s a very well- 
crafted bill dealing with the specific issue of notice of spyware. I 
have two concerns. First is that I am concerned how realistic it is 
to expect people to understand the notice they’re given and to click 
through, particularly when you have computers that are used by 
adults and by children, particularly when frequently the notice is 
down in page after page of boring boilerplate. 

And I would encourage you to consider allowing consumers to 
create a spy-free zone, just the way the Do Not Call list and the 
possible Do Not Spam list will allow people to put on notice once 
saying, we don’t want this particular kind of violation here, rather 
than having to negotiate each time a vendor comes in and says I 
want to do this. 

My other concern is with enforcement. The Do Not Call list is 
very effective because the enforcement ranges from the FCC down 
through the attorney generals down through individual suits, and 
I think that this broad range of enforcement is really very effective 
in making Do Not Call effective, and I would encourage you to con- 
sider a similar provision for this bill. Thank you. 

[The prepared statement of Dr. Levine follows:] 

Prepared Statement of Dr. John R. Levine, President and CEO, Taughannock 
Networks, and Author, The Internet for Dummies 

It is my honor and privilege to submit these comments to the Subcommittee on 
Communications of the Senate Committee on Commerce, Science, and Transpor- 
tation for consideration during their hearing on S. 2145, the SPY BLOCK Act. 

I am a consultant and author specializing in consumer-oriented Internet topics. 
I am the primary author of The Internet for Dummies, the world’s best selling book 
on the Internet, which has sold over seven million copies in nine editions in over 
two dozen languages since 1993. I am also the co-author of numerous other books 
including the recent Internet Privacy for Dummies (2002) and Fighting Spam for 
Dummies (2004). In these books, my co-authors and I educate readers regarding on- 
line marketing and advertising practices that threaten the privacy of their personal 
information and/or present the risk of unauthorized collection, use, and abuse, of in- 
formation about their online activities. 

I co-chair the Anti-Spam Research Group (ASRG) of the Internet Research Task 
Force under the oversight of the Internet Activities Board of the Internet Society. 
The ASRG is a coordinating forum to coordinate research into and development of 
technical measures to deal with unwanted e-mail, with broad participation of indus- 
try, academia, and independent researchers. I serve on the board of the Coalition 
Against Unsolicited Commercial E-mail (CAUCE), the leading grass roots anti-spam 
advocacy organization. 

I have spoken at many professional, trade, and government fora such as the 2003 
Federal Trade Commission Spam Forum and the upcoming Enterprise Messaging 
Deeisions conference in Chicago, May 4-6, 2004, and the E-mail Teehnology Con- 
ference in San Francisco, June 16-18, 2004. 

I serve on advisory boards related to consumer Internet issues at companies rang- 
ing from Orbitz, one of the big three online travel agencies based in Chicago, to Ha- 
beas, a small anti-spam certification startup in Palo Alto, CA. 

What is Spyware? 

Spyware is a general term used to describe software that runs on consumers’ per- 
sonal computers and performs actions that the consumer considers undesirable or 
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hostile. The term has been applied to a wide variety of different applications, rang- 
ing from the arguably legitimate to the egregiously fraudulent. The three most com- 
mon types of spyware are the following: 

• Adware monitors the pages fetched by a user’s Web browser or other material 
on the consumer’s computer and when it sees particular pages or terms, dis- 
plays other pages containing advertisements paid for by the spyware’s sponsors. 
So called “Browser Helper Objects” install themselves as part of the Internet 
Explorer web browser and change the way it works. The changes can be as sim- 
ple as switching to a different home page, or as complex as redirecting web 
searches to the spyware vendor’s search system rather than the consumer’s de- 
sired system, or adding new “click here” buttons that lead to sponsors’ adver- 
tisements. 

In some cases, the adware rewrites the web pages displayed by the browser, 
substituting ads from adware vendor for the ads originally in the page. This 
technique has been likened to opening newspaper boxes and pasting one’s own 
ads on top of the ads in the papers. 

• Key loggers record every key pressed by the computer’s user and send the 
stream of keystrokes back to the spyware’s author. More generally, “Activity 
Monitors” can log and report on any type of consumers’ computer usage, such 
as e-mail send and received, web pages visited, and instant messages ex- 
changed. The data can be used for anything from consumer preference statistics 
to identity theft. 

• Trojan Horses allow the spyware author or vendor to remotely control the con- 
sumer’s computer for the author’s purposes. At the point, the most common pur- 
pose is probably to send spam. 

Although these are the most common current varieties of sp3rware, variations on 
these themes and new and different spyware programs are released frequently. We 
can expect different varieties of sp3rware to appear in the future. 

How Is Spyware Installed on Consumers’ PCs? 

Spyware distribution is made possible by a combination of the weak security of 
Microsoft Windows and the inability of consumers to understand the many security- 
related warnings that their computers currently present to them. 

MS Windows generally makes it very easy to install software remotely onto a con- 
sumer’s PC. While this facility is useful in a corporate environment where an IT 
department manages computers all over the company, hostile parties can also use 
it to install sp3rware without the consumer understanding what’s happening. In 
some cases, whenever a consumer visits a spyware vendor’s web page, programming 
in the web page automatically installs the spyware. In other cases the sp3rware is 
installed as part of a program that performs a desirable function unrelated to the 
sp3rware features. 

Sometimes, the consumer is presented with a warning screen asking whether to 
install the new program. The warning screen is nearly identical to the warning 
screens that appear when a web page needs a benign application such as one to dis- 
play “flash” animations. Consumers see such warnings so often, and have so little 
information with which to evaluate any particular installation request, that they 
rarely reject an installation request. In many other cases, security weaknesses in 
Windows make it possible to install spyware without the consumer’s knowledge or 
consent. 

Some computer manufacturers are now shipping PCs with spyware pre-installed. 
This means that users will have to go to extra time and expense to remove the 
sp3rware from their new computers to bring it to a normal usable state. 

Is AH Software that Communicates with Remote Computers Spyware? 

No. In some cases, consumers deliberately install software with remote commu- 
nication features to participate in a large-scale computing project or a multi-player 
game or other activity. For example, many of my computers run a program from 
the volunteer-run distributed.net that solves large mathematical and cryptographic 
problems. Another well-known project called Seti@Home, coordinated at the Univer- 
sity of California at Berkeley, uses consumers’ computers to analyze data from radio 
telescopes, looking for evidence of intelligent signals from outer space. In both of 
these cases, the consumer runs the program because he or she actively wants to 
participate in the projects, the programs make no changes to the computer’s configu- 
ration (other than an optional screen saver with Seti@Home) and the programs re- 
turn no data about the consumer other than an optional e-mail address or “handle” 
if he or she wants to be counted in the statistics that the projects publish. 
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Another common situation is straightforward advertisement supported software. 
For example, the popular Eudora e-mail program and Opera web browser are dis- 
tributed in free versions that display small advertisements in clearly labelled win- 
dows within the application. The ads do not interfere with the normal operation of 
the program. The consumer is clearly informed that if he or she purchases a paid 
registration for the program, the ads will go away. 

Any legislation related to spyware should be crafted so as not to interfere with 
legitimate applications such as these. 

How Do Consumers Feel about Spyware? 

They hate it. Although spyware has never been my primary area of activity, in 
my role as online postmaster for CAUCE, I get mail almost daily from consumers 
complaining about spyware and asking what they can do about it. On the Internet 
Privacy for Dummies website at http: II www.privacyfordummies.com, a page about 
dealing with spyware is the most frequently visited on the entire site. 

A small anti-spyware industry has arisen with programs like Adaware, from 
http: II www.lavasoftusa.com, and Spybot Search and Destroy, from http:! ! 
www.safer-networking.org, that detect and remove spyware from consumers’ com- 
puters. Companies now routinely recommend that their employees install and use 
one of these programs on a regular basis to clean off any spyware that may have 
installed itself. 

Spyware is frequently written so as to be difficult or impossible to remove from 
consumers’ computers. It rarely comes with an uninstall program, as is standard 
with other PC software, or it comes with an uninstaller that doesn’t actually remove 
the spyware. Some of the more egregious spyware attempts to delete anti-spyware 
programs such as Adaware and Spybot from computers, and to reconfigure web 
browsers to make it impossible to reach anti-spyware websites or to install anti- 
sp3rware software from those sites. 

Consumers clearly perceive spyware as an illegitimate use of their computers, and 
sp3rware is rarely if ever installed with the informed consent of the computer’s 
owner. 

What Policy Problems Does Spyware Present? 

Spyware presents two separate policy issues, consumer protection and privacy. 

The consumer protection issue is that consumers don’t provide consent when 
sp3rware is installed on their computers, they don’t understand what the spyware 
on their computer is doing, and when they become aware of its presence, they in- 
variably want to get rid of it. In principle, this issue could be addressed by better 
disclosure at the time the spyware is downloaded, installed, or activated. But in 
practice, I am skeptical that disclosure would be effective. The behavior of spyware 
is often quite complex, and a disclosure of that behavior equally complex, to the 
point that many consumers would see the disclosure but wouldn’t understand its im- 
plications and would be unable to make an informed decision whether to accept it 
or not. 

Furthermore, adware that shows its own advertisements in connection with web 
pages that a computer’s user has requested causes severe consumer confusion. The 
consumer cannot easily tell what ads are part of the web page, and what ads may 
have been added or replaced by the spyware. Consumers incorrectly assume that ad- 
vertisements are provided or endorsed by the author of the weh page, rather than 
by the spyware vendor. If the advertisements are inappropriate or offensive, the 
consumer blames the web page author, rather than the spyware vendor that actu- 
ally provided the advertisements. In some cases, the advertisements inserted by 
adware are for sexually oriented materials, although the sp3rware vendor has no 
way of knowing the age of the computer’s user. 

I am aware of at least one group of lawsuits filed by mainstream advertisers 
against Claria, formerly Gator, a vendor of adware that is typically installed with 
peer-to-peer applications such as Kazaa, due to its advertisement insertion prac- 
tices. 

The privacy issue is that spyware often collects personal information about the 
users of computers on which it is installed. This is an issue for any computer user, 
and is doubly so for users under the age of 13 who can’t consent to collection of in- 
formation about themselves. 

One could argue that in principle this problem could also be addressed by better 
disclosure, but I believe there are public policy reasons that it’s not a good idea to 
let people sell their privacy rights. The law has long forbidden certain kinds of con- 
sumer transactions (selling parts of one’s own body, for example) as contrary to the 
public interest, even if the consumer wishes to enter into such a transaction volun- 
tarily and with full notice. I believe that there are sound reasons to treat the sale 
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of one’s privacy as contrary to public policy. The value of one’s privacy is great, and 
the amounts offered in exchange for it are rarely large. Once one’s privacy is traded 
away, it is difficult or impossible to regain, and the implications of giving it up are 
frequently far greater than what a consumer would foresee. 

Since spyware can and often does collect information about all of a computer 
user’s activities on the computer, and software cannot tell private from non-private 
information on a computer, the opportunities for abuse are vast. For example, con- 
sumers often apply for mortgages, bank accounts, brokerage accounts, and other fi- 
nancial accounts online. If spyware sends the information from one of these applica- 
tions back to the spyware vendor, the vendor has everything necessary to commit 
identity theft. Consumers often use e-mail or instant messages to communicate pri- 
vately with friends and relatives, or with trusted personal advisors such as lawyers, 
accountants, and doctors. If spyware collects the contents of those messages, which 
is technically easy to do, the possibilities for abuse range from medical fraud (“our 
apricot seeds will cure your cancer better than old fashioned chemotherapy”) to 
blackmail. 

Many consumers underestimate the damage from privacy invasions on the as- 
sumption that if they conduct their lives in a legal and ethical fashion, they have 
nothing to hide. The reality is that some areas of everyone’s life are private, and 
the damage from invading those private areas is real, substantial, and very difficult 
to cure. 

S.2145 as currently written is a well-crafted attempt to deal with spyware prob- 
lems by mandating disclosure and minimal good software practices. I have two res- 
ervations about the bill in its current form. 

The first is that I am not confident that disclosure is the most effective way to 
deal with spyware problems. In view of the universal distaste of consumers for 
sp 3 rware, and their invariable desire to get rid of it when they find it installed on 
their computers, it would make far more sense to ban spyware outright, or to pro- 
vide a simple way, analogous to the telemarketer do-not-call system, that a con- 
sumer could provide one-time permanent notice that spyware is unwelcome on his 
or her computer, rather than having to wade through notices and disclosures every 
time a spyware vendor wants to sneak something onto the consumer’s PC. 

My other concern is for enforcement. The current draft leaves enforcement pri- 
marily to the FTC and to state Attorneys General without providing any new fund- 
ing for enforcement. In view of the large number of spyware authors and vendors, 
and the budget pressures on all enforcement agencies, it seems unlikely that they 
will be able to take action against any but the largest violators. One of the reasons 
that the existing do-not-call system is so effective against telemarketers is that the 
law specifies statutory damages for consumers who are the victims of illegal tele- 
marketing calls, and allows consumers who are sufficiently motivated to sue for 
modest but meaningful amounts. A similar provision to let consumers recover for 
sp 3 rware violations would make an anti-sp 3 rware law far more effective without re- 
quiring new funding for the FTC or other agencies. 

Senator Burns. Thank you. We’ve been joined by Senator Allen 
of Virginia, who chairs our high-tech conference and does a great 
job at that and, of course, represents a great technology community 
here in Northern Virginia. Thank you. Senator Allen. Do you want 
to make a statement or ask a question or do you want to play foot- 
ball? 


STATEMENT OF HON. GEORGE ALLEN, 

U.S. SENATOR FROM VIRGINIA 

Senator Allen. I’d rather play football but I didn’t bring the ball. 
It’s back in my office. I want to thank you, Mr. Chairman and Sen- 
ator Wyden for bringing this issue to attention. I was listening to 
Mr. Berman’s nightmare scenario, and I said, God, I was telling my 
staff, I said, that’s what was happening on our computers. It was 
not just the spyware, it’s the pop-ups and things shooting out of the 
side of it and all the rest and you put it back in, restart it, it all 
comes through again and it’s just — this is broadband that we’re all 
trying to get deployed and so forth, and I’m thinking, God, dial-up 
was better than this. 
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Finally, we got someone in there who could install the right tech- 
nologies to stop it and now being on the Internet and reading arti- 
cles and so forth is a pleasure without all that interference of pop- 
up ads and notices that you’re being monitored and all the rest. 

And when you get to this issue of spyware; I was hearing several 
of the gentlemen talking about the definition. I think your defini- 
tion is one that makes pretty much common sense, like a lot of the 
things you do. Senator, which is very rare around here having 
some common sense. But it seems to me it would be a software 
that monitors a computer user’s activities, it collects personal infor- 
mation, and shares it without the user’s or the consumer’s knowl- 
edge or their consent. 

I look at this from a perspective of a privacy issue, because what 
you are doing is an invasion of an individual’s privacy. I approach 
this whole debate on what we ought to do similar to the way we 
handle the online privacy debate in this committee last year. 

There’s a few points I want to make. Number one, I think that 
all of us ought to be able to agree as a matter of principle that 
under no circumstances is it acceptable for someone to secretly or 
deceptively monitor a consumer’s activities online without that con- 
sumer’s knowledge or consent, and any sort of misleading or false 
practices associated with spyware, in my view it threatens con- 
sumer confidence, I think it ruins, it harms the Internet’s viable 
and usefulness, whether it’s for commerce or for access to informa- 
tion. And in that regard. Senator Burns and Senator Wyden, I 
thank you for identifying this problem with your measure. 

Now second, as we examine this legislation and how to handle 
it, I think we ought to consider all the different options. Like online 
privacy, I think it’s important that we empower individual con- 
sumers to make sure they have the information necessary to make 
reasonable decisions and choices. I think we ought to encourage to 
the greatest extent possible market-driven solutions to this, and 
this has been a committee that doesn’t like to always dictate the 
technologies because we like to see the advances in technologies. 

Third, as you go through all of these, and listening to the con- 
cerns we do have existing laws. You’re talking about identify theft. 
That is currently, presently a crime. We ought to find out how 
we — maybe those laws need to be made better, but the question of 
privacy is governed by law, identity theft, fraud, deceptive mar- 
keting practices, all are part of the law. 

Now, it may be that we have to find a way in the midst of this 
legislation as we discuss it to make those more enforceable, but 
those basic principles are there, and just because it’s spyware or 
adware or whatever it may be, it doesn’t mean that they’re immune 
from those laws. And so with the technological advances that have 
grown, I think we ought to be looking at those approaches, enforce 
the laws we have. I think it’s in the interests of the broad tech- 
nology or Internet community to get this done, to make sure that 
you don’t have people frustrated, aggravated, or sometimes in- 
sulted with some of the spyware and the adware with some of the 
pop-ups that come up that are inappropriate, and we all know 
what I’m talking about here. 

So I’d like to see a market-driven approach or solution. I want 
us to find ways to enforce our current laws and I do want to work 
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with you as I have, both of you, great leaders in technology. What 
we all did with spam, what we’ve been able to do with Internet pri- 
vacy matters, I think those would be the guidelines and philosophy 
I’d like to follow, and thank you again, Mr. Chairman and Senator 
Wyden for your sterling leadership once again. 

Senator Burns. Thank you. Senator Allen. I have just a couple 
of questions. Every time we start in on this kind of legislation, and 
I think Senator Wyden would concur that we spend a lot of time 
working on definitions, people define different terms and words dif- 
ferently. And we tried to do that in this, and especially it’s very im- 
portant whenever you start talking about this business of privacy. 
It’s a very personal thing. 

Now, given what’s been happening with the software that’s 
downloaded into your computer that has basically set your com- 
puter to be a tool of somebody else and not always of your own, 
and we know that probably out of the millions of users of com- 
puters, probably less than a third of them read PC Magazine. What 
tool do we use to make people aware of this problem? And I’ll let 
anybody comment on that. 

Mr. Berman. Well, certainly we have to let people know about 
the problem, and I think that hearings like this and the press cov- 
erage and so forth, but I think it’s consumer education down at the, 
at the basic level. Last year and over the last couple of years, in- 
dustry and public interest organizations like CDT created the Get 
Net Wise site, which provides information on privacy and what 
consumers can do about, even about spyware. It’s just a beginning, 
but it’s a consumer education program. 

But I don’t think that we can begin there. We have to give people 
and the consumers some clear definitions of what we’re talking 
about, and I think that some of the tools that are in your legisla- 
tion are going to be necessary. It is one thing to find spyware or 
adware or a software program that takes over your computer and 
you can’t uninstall it, and I don’t know any consumer education 
program outside of a technical manual that’s going to help you do 
that, and you got a technical person. 

Not everyone has a Web master like I do to take spyware off of 
my computer, so we need to, as in CAN SPAM, to provide some re- 
quirements. That if software is installed on your computer that it 
has to be, even with your consent, that it has to be removable, and 
SPY BLOCK moves in that direction. That’s one of the things that 
no notice bill and no FTC proceeding is going to solve. It is going 
to require some legislative action. 

Senator Burns. Mr. Holleyman? 

Mr. Holleyman. Mr. Chairman, a couple of things. One, I do 
think that raising public awareness about this is critical. It’s like 
this hearing, things that have been held in the House, the FTC 
workshop next month, the publicity on this I think is very impor- 
tant. 

Second, I think there will be more tools that will be made avail- 
able by software developers that will be easily deployed that will 
let people track this. Third, I think we need aggressive enforce- 
ment, and we don’t need to wait until a new law is passed, and a 
new law may be needed. But what we need is aggressive enforce- 
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ment of existing laws to try to dry up the practice of commer- 
cialization of information that’s seized in this fashion. 

Then I think there are other steps such as industry best prac- 
tices, working with sort of new upgrades of software that will all 
yield hopefully to a much better environment than the status quo. 

Senator Burns. Mr. Naider? 

Mr. Naider. Yes, I’d like to follow up specifically what Mr. 
Holleyman said in the sense that industry standard-setting is real- 
ly one of the major opportunities that the SPY BLOCK legislation 
presents in the sense that one of the themes that you hear emerg- 
ing from this panel is the notion of consumer control. 

Dr. Levine made an interesting point, which is that whether its 
spyware or adware, a lot of consumers will say they don’t like it, 
and I will readily confess that even WhenU software, we get many 
consumers who say they don’t like it. We’ve done tens of millions 
of installs, but many consumers choose to remove it. 

The point is, that if you give consumers control and you set a 
standard by which a consumer makes a choice to install when they 
have this type of software, particularly adware that shows them 
ads, each ad is very conspicuously branded and addressed and 
makes it clear where it’s coming from, the user is then easily able 
to uninstall. 

What you then do is you create a standard by which you don’t 
undermine the technology, you don’t take the 25 percent of the 
market that benefits from the technology, but you allow a set of 
standards to be set that the consumers ultimately do control, and 
that’s ultimately what really infuriates consumers, when they don’t 
have control, when they don’t know what’s happening to their com- 
puter, and when they can’t do anything about it, and we do have 
the opportunity right here to address that. 

Senator Burns. Mr. Levine? 

Dr. Levine. If I may digress slightly, on the plane down I was 
reading a funny article about a fellow talking about the 1930s and 
1940s appliances in his house. He was talking about a toaster or 
something, and he said that he learned the hard way that the con- 
trol on the toaster had a little rubber knob on the end which you 
had to hold, because if you touched any other part of the toaster, 
you’d be electrocuted. And we don’t build toasters that way any- 
more, and no doubt at the time the toaster was built, there was a 
sign saying, only touch the knob. 

And I think a certain amount of labeling is useful, but I think 
that if you have a practice that consumers find so noxious and so 
uniformly contrary to what they expect, it’s like with my example 
of the newspaper boxes. We could have a campaign to put signs on 
the boxes saying, danger, don’t read newspapers with other peo- 
ple’s stickers on them, but I think what we really need is a con- 
sistent policy about what sort of data collection is appropriate for 
computer software and what isn’t so that users don’t have to be 
worried every time they click somebody might steal their data, that 
they can be confident that their computers will work in a way they 
think is reasonable. 

Senator Burns. Well, I get the feeling that I’m going to have a 
follow up question for Mr. Holleyman, but I first want to get to my 
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colleagues and we’ll probably have a couple of rounds of questions 
here, but Senator Wyden. 

Senator Wyden. Mr. Chairman, gentlemen, the first question I’d 
like to start off with is whether or not you all feel there are legiti- 
mate reasons for software that doesn’t allow a computer owner to 
delete it. Let’s go right down to it. Maybe some technical reasons 
and that’s what I’m interested in, but I mean, as a general rule it 
seems to me if the computer owner can choose to install it, he or 
she ought to be free to uninstall it, but I’d like to see if we can kind 
of just go right down the row and see if as a general proposition 
you all share that view. Start with you, Mr. Naider. 

Mr. Naider. We completely agree with that. Computer owners 
should have the right to install software and uninstall software. 
Occasionally, as in our business, for example, you see instances in 
where a consumer downloads a free piece of software, and in addi- 
tion to that free piece of software, there’s another piece of software 
that supports the free piece of software, for example, providing cou- 
pons and advertising. In those cases, we think the consumer should 
have the choice to uninstall as well by uninstalling the free piece 
of software and that goes with it. 

But under no circumstances can we imagine a scenario where a 
computer user shouldn’t ultimately be the one to control what is 
and what is not on their computer. 

Senator Wyden. Anybody on the panel disagree with that? We 
can just go right down the row and save some time. I just want 
to see if as a general rule you feel that that’s appropriate. 

Mr. Holleyman. I agree with your general rule, with your caveat 
that there may be technical reasons at times where you cannot 
uninstall something without harming the operating system, for ex- 
ample. 

Senator Wyden. Jerry? 

Mr. Berman. I agree that you ought to be able to uninstall and 
the principle — the right to uninstall, but right now you don’t have 
the right to uninstall a lot of spyware. 

Senator Wyden. Right. Dr. Levine? 

Dr. Levine. As a general principle, I agree with everybody else. 
You need to be able to uninstall stuff. But I think what consumers 
are more interested in is the possibility of breaking stuff apart. For 
example, they’ll install a program that does some useful thing and 
then it’s bundled in with something else that they consider to be 
spyware, and they consider the program to be useful and the 
spyware to be useless and they’d like to be able to get rid of one 
without the other. That’s where I think you run into these issues 
of what’s uninstallable and what’s not. 

Senator Wyden. I put into the record something that struck me 
as very plausible in one of the New York Times pieces calling for 
something similar to what we’ve introduced. They start — and I’ll 
quote here — a good start would be to require all such programs to 
announce themselves clearly and define their functions, allowing 
the users to reject software that strikes them as intrusive. Anybody 
disagree with that? 

Mr. Berman. The issue is, what software under the, say, for ex- 
ample, legislative rule would have to announce itself and then you 
get to decide what is intrusive? 
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Senator Wyden. Covert, secret. 

Mr. Berman. Well, if we define it that way, but some of the legis- 
lation unintentionally or even intentionally has defined the com- 
puter software to include any software resident on your computer 
and then you get to software that does some monitoring functions, 
diagnostics and so on, can be covered. It’s not defined clearly in 
terms of computer software that does something that we would 
consider bad behavior. 

Mr. Naider. If I could follow up Mr. Berman’s comment, I think 
one of the concerns with the legislation as currently worded is ex- 
actly what Mr. Berman is saying, which is that it doesn’t say this 
explicitly in the legislation, but at least with regards to the adver- 
tising copy in the legislation, it’s implicit that’s it talking about 
pop-up advertising, just some of the language that’s used to say it 
has to have a notice and each ad has to have a link to an uninstall. 

When you think about the future of this type of technology, many 
in the industry believe that software on your desktop, legitimate 
advertising software, will be done in many, many different ways. 
It may be in the form of toolbars that are on your computer, it may 
be embedded within your browser, it maybe is part of the interface 
of your ISP so that this notion of every piece of software announc- 
ing itself in the same way that would be contemplated for some- 
thing, for example, that does pop-ups may be inappropriate. 

And one of the things that we think needs to be studied and 
looked at in detail with regards to any legislation is not what is 
the current practice of adware or software-based advertising, but 
what is the potential future universe of different activities that 
could take place that are very, very legitimate, very empowering to 
consumers. Can this bill broadly worded actually hinder that, and 
that’s I think one of the concerns we have with the bill. 

Senator Wyden. Those are legitimate points. What we’re trying 
to do is get at the secrecy, the secrecy that really invades the rights 
of the consumer that we’ve all been talking about. 

The third area I wanted to ask you about. Dr. Levine, was drive- 
by downloads and how easy it is to set them up. It strikes me as 
pretty good target, pretty fertile area for shady kind of people, but 
why don’t you tell us about that? 

Dr. Levine. It’s extremely easy, and it’s easy for two reasons. 
One is that Microsoft Windows, which everybody uses, is just de- 
signed in a way that makes it really easy for third parties to install 
software into it, and in many cases that’s fine. If you have a cor- 
porate network, the ability of the IT department to maintain all 
the computers in the company is fine. 

And if you have a website that uses a particular kind of audio 
or animation or something, the ability to say, oops, you need the 
Flash Player, would you like me to install it for you so you can see 
this cartoon, that’s fine too. 

The problem is that the technical line between the Flash Player, 
which just shows you pretty pictures, and spyware that does ma- 
levolent things, is very narrow. It is both easy for people to install 
stuff without notice, and the other problem is that people install 
stuff so often, 3 hours it pops up and says, oh, here’s a little compo- 
nent we’d like to give you. And from the consumer’s point of view, 
it’s very difficult to tell the notice between something malicious. 
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Senator Wyden. Just a couple of other quick questions. I know 
my colleagues want to get into it. Mr. Holleyman, gentlemen, came 
out for going after electronic spying, but essentially felt that 
adware wasn’t a major concern right now. He said it hadn’t risen 
to the same level of concern. Mr. Berman and Dr. Levine, do you 
two view the proposition that pop-up ad software isn’t yet a key 
consumer concern? 

Mr. Berman. I think because there are companies that are pro- 
viding these programs and without clear notice and consent to the 
consumer or to all the users of a particular community, I men- 
tioned the family example, that the pop-up ads are becoming in a 
consumer’s mind another form of pop-up spam. In fact some of 
these programs also allow you to serve spam, but it’s the pop-up 
ads are, I think, a nuisance to computers and interfering. If they 
don’t have consent they are being served content which they really 
don’t want. 

Now, the difference between what they want and whether they’ve 
consented is really how explicit the notice is, how clear it is, and 
how simple we make it, and there are no standards for that right 
now. 

Senator Wyden. Dr. Levine, you? 

Dr. Levine. There’s no question that people hate pop-ups. I con- 
sult for one of the large travel websites that’s used what we could 
call “legitimate pop-ups” extensively in their advertising, and 
they’re legitimate in the sense that if you go to a site like ESPN, 
a site, the pop-ups ads that pop up are actually placed by ESPN 
and support the website, and even though they’re, you know, by 
any business standard they’re legal, people hate them, you know. 

And then we go on to the kinds of third party ads where, ads 
that — advertisements that weren’t part of the original website, peo- 
ple hate those even more because they don’t know who to blame. 
So I’d say from the point of view of consumers, it is a very big 
issue, and it’s one that they really would like to have somebody fix. 

Senator Wyden. Yes, I don’t want to jump on you on this point, 
Mr. Holleyman. I know you’re sincere on it. But I think if you were 
to go out across the land today and ask people about pop-up ads 
software, they’d say, that stuff drives me nuts. I’m outraged by it. 
And we want to work with you, I mean, you’re raising a lot of prac- 
tical concerns about how to do it. But I got to tell you that we’re 
not jumping you here today. 

Mr. Holleyman. Sir, I think there are two things here. One is 
we were trying to focus on what we think is the biggest current 
problem where we can both start deploying current laws and then 
fill in gaps with new legislation. Second, there’s a pending bill be- 
fore the Utah Governor that she has until, I think, midnight to- 
night to decide whether to sing or veto, there was a spyware bill 
passed by the Utah state legislature. 

Senator Wyden. I understand. 

Mr. Holleyman. There was a very broad group of technology 
companies and associations who met with the Governor last week 
to urge her to veto that bill to give their legislature another chance 
to look at this when they come back in session next year. 

One of the comments she made, that was made in the letter, and 
I do not represent advertisers per se, but I will simply pass this 
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along, was talking about pop-up ads and talking about the impor- 
tance of enabling local advertisers in Utah to be able to properly 
tailor advertisements to Utah-based citizens rather than only al- 
lowing broad-based national advertisers to have that broad reach. 

I don’t know what the answer to that is, but I would encourage 
you to look at the letter that we submitted to the Utah Governor 
as one of the issues associated with this. 

Senator Wyden. One last question if I might. You, Mr. 
Holleyman, said that state AGs ought to be given enforcement au- 
thority in the area only if we have what you call, you quote, a “Fed- 
eral standard.” So obviously what we think we’re doing in the bill 
is establishing a Federal standard, and what I was curious about 
was whether this was really something that you want to just deal 
with as a preemption issue. Are you all calling for preemption? Is 
that something you’d support. Federal standard preempts states? 

Mr. Holleyman. If Congress moves in this area and determines 
if legislation is needed to close existing gaps, then there should be 
a Federal single standard that preempts inconsistent state laws. 

Senator Wyden. Mr. Chairman, thank you. 

Senator Burns. Senator Boxer. 

Senator Boxer. As a pop-up ad victim, those things are really 
the worst, and it’s the whole point, I mean, and it shocks you. It’s 
a very disconcerting deal, because when I’m working on my com- 
puter I’m working on something, and it’s just like, I mean, my 
grandson knows don’t bother Grandma right now. I’d rather be dis- 
turbed by him than these idiotic things, some of which are foul. 

But here’s the point. I think if we do work together and we can 
make this happen right, you’ll wind up being happy because you 
don’t want Utah doing their thing and you don’t want California 
doing their thing and so on and so on and Virginia. We’ve got to 
get together here and have some answer to this thing. 

Mr. Holleyman, when you say you don’t represent advertisers per 
se, what does that exactly mean? 

Mr. Holleyman. I represent companies who certainly advertise, 
as most commercial businesses do, but I’m not speaking on the 
adware issues or representing companies who are making a profit 
out of selling advertising. 

Senator Boxer. Say that — you represent advertisers, but 

Mr. Holleyman. I represent major companies who all advertise 
their products, but I’m not representing companies such as the col- 
league at my right, who are in the business of providing adver- 
tising services. 

Senator Boxer. OK. Well, you know, I don’t want to prolong this 
because I just, for me certain issues are a no-brainer. This — for 
what — it’s simple. You know, this is not a good thing that’s hap- 
pening to folks, and in the end it’s going to drive people away from 
their computers and that’s not a good thing. I am very much in 
favor of all of this information-gathering, and I can tell you, you’re 
sitting there, you’re trying to do some work, you’re trying to get in- 
formation, and you’re just bombarded and it all happened because 
somebody spied on what you were looking and I looked at shoes 
and they’re advertising shoes. This thing has got to go. This is not 
a good thing. And so, yes, Mr. Berman, I don’t have 
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Mr. Berman. I have problems with pop-up ads from downloaded 
spyware. I actually have an ad program that runs on my mail pro- 
gram, it’s serving me ads, and the reason I’m getting the free mail 
service is they’re serving me ads, they’re getting some revenue 
from it. 

I consented to it. It’s very clear on my desktop what’s happening 
and if I don’t want it I can pay for a different program and the ads 
disappear. And if I want to uninstall it, I just take that program 
and get another program. That kind of transparency I think is 
where consumers want to go. 

Also, while we may not like pop-up ads, that is a much larger 
and different, and sometimes different issue than spyware. Pop-up 
ads are being served without spyware, and so we got to put things 
in boxes and say what is the most important thing that we want 
to deal with. 

And I got to one more time make this point, that the privacy 
issue, which is only one part of this spyware problem, is the collec- 
tion of information without your consent. It may be through a pro- 
gram on your — but it goes back to Senator Allen, the privacy bill 
9iat passed out of the Commerce Committee, it may need — maybe 
there wasn’t a giant Congressional consensus, is still not law. We 
do not have online privacy legislation which defines the fair infor- 
mation practice for online privacy for websites, for companies doing 
business on the Internet. 

We are relying on important self-regulation. Good companies are 
doing a great job at trying to give you privacy notices on their 
website. But I point out when you’re dealing with spyware, you’re 
finding out that there are always outlaws and outliers using new 
technology to do the same thing, take information without notice 
and consent. And until we have some rules about that, which goes 
back to BurnsAVyden 1, we’re not going to solve the privacy prob- 
lem, and to try and do it for spyware, like say, well, we have a 
cookies bill and a spyware bill and a spam bill, it begins to become 
a crazy quilt, which is what we want to try to avoid when we ask 
for Federal legislation, some coherent, overall policy. 

And we need privacy policy in this area. It doesn’t have to be, 
you know, terribly burdensome, but it has to inform both good com- 
panies and bad companies what the rules are here for collecting in- 
formation about consumers and users on the Internet. We don’t 
have that. 

Senator Boxer. Mr. Berman, let me just say, I have no disagree- 
ment with anything you said, but I’m also a practical legislator. 

Mr. Berman. Right. 

Senator Boxer. And I can tell you now, the reason I was so 
proud of my colleagues and teamed up with them on spam and 
these other issues is because sometimes you can’t get that overall, 
but I agree with you, it’s all a matter of consent, that’s really the 
bottom line. But also consent that’s obvious, that is easy to figure 
out, so that it’s not such a difficult hurdle that you have to do 17 
things to get out of this deal. That isn’t any good. It’s got to be 
something straightforward. That’s what we’ve been trying to do. 

Mr. Berman. This may be one time when consumers are going 
to become so outraged by this kind of behavior that different laws 
are going to pass in Utah, pass like that, may not be signed into 
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law, that it may be the better part of valor to revisit, maybe not 
in an election year but maybe early next year, trying to develop 
some baseline standards again as part of the tradeoff of resolving 
a set of issues that surround, that beg for a solution, but do not 
beg for a solution that is technology-specific, because that is anath- 
ema to innovation and to the Internet to go technology by tech- 
nology. 

Mr. Naider. If I can add, specifically for Senator Boxer’s very 
good point about consumers hating pop-ups. I think one of the 
things that we have to all recognize is that these types of bills are 
strangely affected by consumers’ general dislike for pop-up adver- 
tising. For example, if you said to an average consumer, do you like 
pop-ups, most consumers would say no, I dislike pop-ups. If you 
said to a consumer, would you want a piece of software that alerts 
you to a $30-off coupon when you’re about to make a purchase, 
most consumers would say yes. 

The important thing is to recognize that the pop-up problem is 
a much, much, much larger problem online than sort of a narrow 
problem as a result of either spyware or adware, et cetera, and that 
in the course of trying to address consumers’ concerns with pop- 
ups, specifically a sense of feeling bombarded or being hit with pop- 
ups that don’t come from anywhere, we have to be very careful 
about not affecting or ruling out software that can actually be tre- 
mendously beneficial. 

And when you think about where the Internet is in 5 or 7 years, 
is it desirable for most computers to have software on their ma- 
chines that, as a consumer’s navigating the Web, in some way, 
shape, or form is alerting them to maybe three other places where 
they can buy a mortgage or to a great deal on travel? When you’re 
looking at a hotel in New York City, should a piece of software be 
allowed to tell you about a place where you can get that hotel for 
50 percent off? Many people would say yes, and we just want to 
make sure that this legislation covers that. 

Mr. Berman. But there’s a problem. It’s when, who’s saying yes 
and consenting to this software being loaded on your computer? 
Many of these pop-up adware programs are added as piggy-backed 
on top of peer-to-peer network software. I mention these, there are 
a number of adults in different offices had their computers swept 
for spyware, and there are just many, many programs there. And 
how did they get there? It’s because their teenagers are out in peer- 
to-peer networks signing up for file-sharing programs, for music 
and so on, and maybe that’s — put aside the copyright issues, but 
still, that software is being loaded on your computer and it’s there 
delivering ads to a lot of people who don’t’ want them. 

It’s how clear is the consent and can you really get out of these 
programs? WhenU says it’s easy to uninstall their programs. I 
know some programs which are really hard to uninstall. I don’t 
know how we can do this except by Congress saying that some of 
this behavior on hijacking computers is unacceptable. 

Dr. Levine. If I could add a little bit there. Something that’s sort 
of unique about software is that you consent once but then it an- 
noys you forever, which is somewhat different from other software. 

Senator Burns. Sounds like marriage, doesn’t it? 
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Dr. Levine. I plead nolo contendere, sir. But with most software 
you install the software and you consent, but once it’s installed, it 
only runs when you tell it to. Spyware is unusual in that it sits 
there and it gives you, you know, it gives you stuff that may or 
may not be helpful, you know, whether you ask for it or not. In my 
case, I don’t want Windows to pop up and tell me when I can get 
cheaper hotels because I know if I want a hotel comparison website 
I know where to find one. 

Senator Burns. Senator Allen? 

Senator Allen. Thank you, Mr. Chairman. You know, you all did 
a great job on spam. My general view though is pop-ups are worse 
than spam. I had an account set up with Yahoo — huh? 

Senator Burns. It’s a form of spam. 

Senator Allen. It is, but the spam is usually associated with e- 
mail, and I finally found this e-mail account and said, all right, go 
in there, use it through Yahoo, it’s what I use as my website, or 
home page. And this is I don’t know how many months, there are 
just hundreds and hundreds of e-mails in there and they were on 
mortgages, travel bargains, gambling, pharmaceuticals, pornog- 
raphy, whatever all it was, all these e-mails. And it’s very easy to 
get rid of them. You select all and delete and that’s it. 

Pop-ups you have to click them off. As far as advertising, I like 
to read the newspapers. I read the Richmond Times-Dispatch or 
the Post or the Washington Times, whatever it may be, the Bristol 
paper. At any rate, they have advertising for realtors there and 
whatever other things they may want to advertise, but that’s not 
invasive, that’s just on the side of the article. You go on, say, Buc- 
caneers.com, they’re selling stuff, Raiders.com, Chiefs.com, what- 
ever it may be, they’re selling things, jerseys and whatever, and 
that’s not a problem, the pop-ups are. 

Now, in listening to all of this maybe we can get this agreement 
from this hearing and why we may need to have Federal legislation 
in light of Utah. Will you all agree that any legislative approach 
should establish a national standard, avoid a patchwork of state 
regulations, and target bad actors, not necessarily harm legitimate 
online business? Do you all agree on that? 

Mr. Holleyman. Absolutely. 

Mr. Berman. Yes. 

Senator Allen. Well, that’s where we’re going to have to go now. 
The details of some of these, the definition and so forth, there is 
that agreement on it. And, of course, Mr. Holleyman, I like your 
approach, e-spying, ban behavior not technology, that’s the ap- 
proach. 

Now, we’ve heard about all these statistics regarding the amount 
of spyware on consumers’ computers, which is all very disturbing 
and worrisome. According to Mr. Holleyman, spyware amounts to 
an abuse of technology. Clearly that is the case. Now, can any of 
you all share with us and the public what is the technology indus- 
try doing to help address this problem? If we’re trying to educate 
the public, what is the technology industry doing to address it, 
other than dragging some guy who’s an expert or person who’s an 
expert to try to stop it? 

Mr. Berman. There are a number of technologies which are being 
offered. Earthlink has a spy audit and America Online is also offer- 
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ing a package which helps users of their services sweep, detect, and 
eliminate spyware, so there’s a technology solution. I know that 
Microsoft is working on part of those solutions. We’ve heen trying 
to convene a group of industry and public interest organizations to 
try and sort out what’s being done, what can we do through self- 
regulation, what can we do through standards, what falls into the 
need for legislation and can we define bad behavior. And it’s, I 
think it’s going to be a mix of all those. 

We’ve also worked on a standard called P3P, which allows com- 
panies to express their privacy policies in code, which can be read 
by a consumer who can set their settings to what they want, and 
if that was widely adopted, it would be much more transparent to 
deal with companies like, that promote spyware or adware. You 
would be able to do a lot of negotiation or at least be able to say 
this is consistent with what I want as a consumer and say yes or 
say no. 

And so there are technology solutions that are out there, but I 
think that it’s going to have to be a mix of technology, self-regula- 
tion, and legislation. But the self-regulation in this area I don’t 
think is going to come until we have some clear standards, and if 
we have some clear standards, some of it’s going to have to be put 
in the legislation. 

Senator Allen. Mr. Holleyman? 

Mr. Holleyman. There are technological solutions that are both 
being made available now and that companies are actively working 
on for their next generation of products. I agree with everything 
that Mr. Berman said that a combination of consumer education, 
technology tools, and best practices that we’re eagerly working on 
with Mr. Berman’s group and others. It may well take targeted leg- 
islation, and also enforcement of existing laws. I want to reiterate 
that the status quo is not acceptable. Something needs to be done. 
It’s just a question of how do you then tailor that new legislation 
to deal with it. 

Senator Allen. Dr. Levine, what’s your perspective of the tech- 
nologies that are available, and maybe people are not availing 
themselves of them? 

Dr. Levine. There are certainly some technologies. There’s the 
programs Mr. Berman referred to. There’s also some fairly nice free 
programs called Adaware and Spybot. But I’m still concerned that 
it’s difficult for consumers to make rational tradeoffs here. I can’t 
tell you how many times I talk to someone, I say, do you believe 
that your personal privacy online is important? Of course. But then 
they say, well, you know, would you provide your name, address. 
Social Security number, mother’s maiden name, and annual income 
in exchange for a raffle ticket for a $5 plush animal, and they all 
do. 

Senator Allen. Well, that’s 

Dr. Levine. Well, and I realize we can’t keep people from being 
naive, but I think people don’t appreciate sort of the value of what 
they’re giving away and the risks they’re entering into. So, I realize 
none of us are interested in having a nanny state here, but I do 
think that it’s important to recognize the value of the data these 
things can collect and I think it’s reasonable to put some fairly 
strong hurdles in the way of saying, you know, do you really want 
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to give this up, is what you’re being offered really valuable enough 
to be worth this exchange? 

Mr. Berman. One point on that, which is that the risk involved 
and the tradeoffs, sometimes consumers are given the opportunity 
to get a free program or free service in exchange for signing up for 
an adware program which is essentially downloaded on their com- 
puter, but they’re not necessarily up front, and this is something 
that SPY BLOCK tries to deal with. They’re not given up front any 
knowledge of what that adware program is going to do and how 
many ads and how intrusive it’s going to be and when it’s going 
to come, so they’re signing up without real knowledge of what 
they’re getting into. Maybe that’s solved by the ability to uninstall, 
but uninstall is 

Dr. Levine. No, because once you’ve given your data away, since 
the U.S. has no tradition of strong data protection laws, once some- 
body’s collected your data, they’ve got it, and if they then transfer 
it from place to place to place, we all know stories, we’ve all heard 
stories about somebody who disclosed information one place and it 
ended up someplace really much worse and far away. 

Mr. Berman. Well, I put those in box one, which are privacy vio- 
lations. There are also ad services who are not collecting informa- 
tion, and I want to make clear that they raise a problem. Even 
though they are not violating privacy, they are raising issues of 
user control over their computer. 

Senator Allen. Mr. Naider? 

Mr. Naider. And we are trying to address it, I guess, at a slight- 
ly different angle, which is economically. We’ve put together what 
we call our five points definition of what is the difference between 
legitimate adware versus spyware. Interestingly enough, adware 
used to be a positive word. We put out press releases 2 years ago 
talking about our own adware. I wouldn’t think of putting out a 
press release today mentioning adware in conjunction with our 
product because it’s become a loaded word because there are some 
folks that claim they’re adware and actually are spyware. 

We’ve actually put out a definition that we’re trying to promul- 
gate within the industry, and that definition has five points, and 
point number one is the disclosure. When you initially install it, it 
has to be visible, right in front of the user, that the presence of ad- 
ditional software is something that if the user takes the time to 
read is visible, it’s not buried six pages down in a license agree- 
ment. 

The second thing is that the license itself for this type of tech- 
nology needs to be clear, concise, and understandable. We use a 
two-page license agreement to the dismay of our lawyers because 
we basically said that anybody who reads a license agreement 
should be able to understand it in 5 minutes. We think the second 
point is the disclosure of the license agreement and making it clear 
and concise. 

The third point is the branding, specifically if you display Win- 
dows or add Windows such that consumers don’t wonder why I am 
seeing this ad, whether they may like it, like Dr. Levine — they may 
not like it like Dr. Levine or like it, like some other folks, it should 
be very clear where it’s coming from, why it’s there, and who is de- 
livering it. 
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The fourth point is ease of uninstallation. Consumers that don’t 
want the software should easily be able to uninstall it, should 
make a choice. With respect to what the Senator mentioned before, 
there is actually a big difference between spam and legitimate 
desktop advertising software. Actually I’ve tried many times to stop 
spam to my office mailbox. I can’t do it. But if you want to 
uninstall software that’s legitimate software, it’s actually easy to 
uninstall it. So if you abide by that fourth point of uninstall, then 
we consider that in keeping with this philosophy of being adware 
and not spyware. 

And the fifth thing is privacy protection, which is, regardless of 
whether you get disclosure, regardless of whether you get a license, 
regardless of whether you brand and you make it easy to uninstall, 
if the practices that you’re doing involve keystroke logging, collec- 
tion of personal information, then it doesn’t matter that you got all 
this because there may unwary consumers that agree to it. 

So we believe that by putting out this five points of what defines 
legitimate desktop advertising versus spyware, we can actually cre- 
ate a definition where those who claim that they’re doing legiti- 
mate advertising were actually spyware don’t survive economically, 
because the advertisers who use it basically say, are you adhering 
to these five points, are you doing this legitimately, and if not we’re 
not going to spend money with you. And that’s our approach and 
we actually hope that this type of legislation will look at these dif- 
ferent pinnacles of disclosure, license, branding, uninstall, and pri- 
vacy, and be able to set that standard as well for the market. 

Senator Allen. Are you saying, final question. I’m like Dr. Le- 
vine. If I want to figure out how to get a flight from one place to 
another, again, Yahoo will have Travelocity linked up with it or 
whatever. There’s a — you can find it, you can search and find it 
without somebody saying, here, you can be on a cruise or you can 
get these discount rates and so forth. I’d just as soon not have to 
click them off and have them covering up what I’m trying to read. 

Now on your — ^you seem to have some standards, those don’t, 
which make a great deal of sense. Let me ask you this though. How 
easy is it for someone to remove on your software? Say there’s 
someone like me or Dr. Levine who, I don’t care, it is good to know 
where it came from, the source of it is good, that obviously would 
be wonderful as a way of knowing the source or you can figure out 
how they got your name and then blame them rather than some 
of the deceptive things, you think it’s coming from AOL or Micro- 
soft when they have absolutely zero to do with it. And you see AOL 
or you see Microsoft and it connotes a certain credibility and cre- 
dence, so I think it’s great to have that tracing. 

But how easy is it, or how would someone who doesn’t want to 
get your advertising through WhenU.com, how easy is it to remove 
it? 

Mr. Naider. I think the numbers speak for themselves. We’ve 
done over 100 

Senator Allen. I missed your testimony, so I’m sorry if you’ve 
already said this. 

Mr. Naider. That’s OK. We’ve done over 100 million unique in- 
stallations of our software and initially about 50 percent of people 
kept it and now 80 percent remove it. Now, that’s a challenge for 
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us. Part of the reason that they remove it is because there are so 
many other programs not adhering to standards that they just get 
an Adaware program and everything gets removed. 

But the answer is, it’s very easy to remove. It can be uninstalled 
through your control panel add/remove, which is the standard way 
for uninstalling software, and more importantly, each ad unit tells 
you directly how to get information about uninstalling where it 
says, go to your control panel and do it. 

So the empirical evidence is that it’s very easy to uninstall, and 
as a result, we freely acknowledge that there may be consumers 
that don’t want to see a coupon when they’re about to shop and 
don’t want to see, but to the extent that there are consumers that 
do and that it’s quite beneficial to either have that software for its 
own merit or maybe you’re willing — maybe you don’t want to see 
it but you’re willing to see it because you get a free sports ticker 
program. There are many consumers like that. They decide, well, 
I don’t necessarily love the idea of seeing a coupon or a free travel 
ad, but you know something, I get a free sports ticker, so I’m happy 
to do that. 

We want those consumers to have that choice. By following these 
types of standards, you give the consumers a choice. By making 
any unilateral decision one way or the other, you don’t give them 
the choice, and we hope that that’s what this legislation accom- 
plishes. 

Senator Allen. Understood. How many others in your business 
have the facility of removing pop-ups that you all do? 

Mr. Naider. It varies dramatically. There are others — we are 
certainly the leader in the industry in terms of the standards that 
we set and there’s a full spectrum of activity from folks who don’t 
necessarily adhere to every one of these points, maybe four or five, 
to folks who absolutely make it impossible to know that — or do 
their best to make the consumer unwary that they’ve installed it, 
once it’s on the desktop, no branding, no idea that these pop-ups 
might be coming from software, no easy way to uninstall. 

So the answer is that there’s a full spectrum of activity and we 
hope to combat it both through, you know, we hope that your ef- 
forts, as the Chairman and the Senators of this Committee through 
legislation will combat it, and our efforts from the standpoint of 
market education will allow certain models to emerge and to de- 
velop and to meet what ultimately can be very, very, very pro-con- 
sumer, pro-competition, pro-comparative advertising type of stand- 
ards and other models to disappear, so that the experience, the 
nightmare experience that people have, and I’ve heard this many, 
many times, you know, the nightmare experience that you have is 
I have 12 things on my computer, I have no idea where they come 
from, I don’t know how to stop them. We want to see that dis- 
appear as well. 

Senator Allen. Thank you, Mr. Naider. 

Senator Burns. Mr. Holleyman, I referred to a while ago, do you 
think right now there are enough laws on the books with regard 
to privacy that we could deal with this SPY BLOCK or spyware 
without passing this legislation? 

Mr. Holleyman. There are laws related to deceptive advertising 
through the FTC Act, the Computer Fraud and Abuse Act, all of 
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which can be applied and should be applied, and I am very much 
holding open the possibility there may need to be additional legisla- 
tion that’s behavior-based to close the gaps. 

Senator Burns. Would you agree with that, Mr. Berman? 

Mr. Berman. I agree that we’re going to need legislation to close 
the gap because there is — we need to look at where it’s clear hijack- 
ing of computers and not allowing you to uninstall and taking over 
your Web page and a lot of behavior that’s in our FTC complaint 
against a company or two. We may need to — existing law may 
cover it, we need to try and figure out where it falls short and come 
back and fill in the gaps working with you. 

With respect to the privacy issue of collection and dissemination 
of information without notice and consent in this area we need leg- 
islative standards. 

Senator Burns. Whenever you start talking about national 
standards and this type thing, we ran into something in spam and 
I think that we should also look at it, because with our visits with 
our international friends, this just isn’t a national problem. In 
other words, everything that this spyware can be installed from not 
necessarily friendly soil, so to speak. 

Do we need to work with our international partners to also craft 
legislation that would work in their countries and recommend they 
do so? 

Mr. Berman. I would recommend that we try and sort this out 
first. 

Senator Burns. Here? 

Mr. Berman. Here. And so that we know, maybe we have some 
consensus about what we’re talking about. Right now it’s a tower 
of Babel as far as I’m concerned. I mean, what’s in and what’s out? 
But I think if we get down to some bad behavior, which is like 
CAN SPAM, let’s get some real things that we, you know, res ipso 
locutor, the thing speaks for itself, we understand it, this is bad, 
let’s get it. Then I think we can begin that dialogue. 

I agree that this is not something that because we pass a law it’s 
going to be solved, because spyware can be served from overseas. 
That’s why, you know, ideas like a do-not-spyware list won’t work, 
I mean, because we’re dealing with a global network. That’s why 
we need technology solutions as well as 

Senator Burns. Yes, sir. 

Mr. Holleyman. Can I make two points on that? One, we were 
of the view that a behavioral-based approach would give us the 
quickest, fastest tools in this country to try to address the prob- 
lems. Second, because we work as BSA on a global basis on public 
policy laws, I think there is a reason to look carefully at trying to 
avoid having to define what software looks like and what tech- 
nology looks like, because if we adopt that approach in the U.S. 
rather than the behavioral approach, presumably we’re going to be 
asking all of our major trade partners to pass similar legislation 
that defines the way software looks, and the same technology that 
can be used for bad purposes for spyware may provide good future 
uses of technology in areas like diagnostics and security tools. 

So if we can avoid having to create here and then around the 
world a definition for how we create software and deal with the be- 
havioral approach, we think we’ll be better off. 
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Senator Burns. You see, it’s my thought on this thing that Mr. 
Naider is in a legitimate business. He is a legitimate operator and 
entrepreneur and runs and business and I think the standards are 
very important, because if we get the bad guys out there doing bad 
things, it does bad things to you. You get a bad reputation, and 
that’s what we want to do is for the industry to come together. Ba- 
sically that’s what we did with spam is it forced industry to sit 
down and talk to another and say, OK, how are we going to deal 
with this, and then they said, yes, we need a law, and yes, four of 
the biggest ISPs there is in the country filed a lawsuit on some of 
these people who are really basically clogging their pipes. In other 
words, they just can’t handle everything that they throw at them. 

So most everybody else has answered my question. I’ve sat here 
very interesting, but I do want to work with all of you — ^you had 
some other — you got a another question? A couple more, OK. With 
respect to how we define and to see if we can’t do the same thing 
with this legislation as we intended with CAN SPAM, is the indus- 
try has to come together to the table and help us with those stand- 
ards. You can’t let government set the standards. If we do, we’ll be 
locked into technologies. 

I can remember first, when I first come here, we flew out to the 
consumers electronics convention in 1990 to Las Vegas and we 
were going through this debate on who’s going to standards for 
high definition television. And there were some people out there 
very well-intended that says government has got to set the stand- 
ards. And I said, if government sets the standards, then we’re 
going to be locked into that because it’s hard to change and tech- 
nology moves too fast, that if government sets it, then we’re locked 
into that situation. 

So we want to work with you very, very closely on definitions 
and allow the industry to come together and to really identify the 
bad guys and help us a little bit, because self-policing effect does 
have a cooling effect on those people who would do bad things. Sen- 
ator Wyden. 

Senator Wyden. Thank you, Mr. Chairman. You have really spo- 
ken for me in that regard. I think you’ve laid out the challenge 
very well. We’re going to need to work closely with all the people 
at the table if we’re to move this and that’s what we’ve tried to do 
so often in the past and I appreciate your making that comment. 

Just a couple of clean-up points that I’m interested in in terms 
of where we go. As you all, I think, have picked up, as Senator 
Burns and I have really had a little bipartisan island here where 
we have tried to kind of prosecute these causes that obviously are 
complicated and technical and sort of learn as we go, and I sort of 
sense a little bit of a reversal of position in terms of you, Mr. 
Holleyman. I just want to kind of make sure I’m sensing this. 

When I see your suggestion that Congress, and I quote here, sim- 
ply prohibit the distribution in interstate commerce of user infor- 
mation obtained electronically from an individual’s computer unless 
the person seeking to sell the information can show it was collected 
with the user’s explicit permission, and explicit would obviously be 
a definition, that certainly raises the prospect of your organization 
supporting a general online privacy bill. 
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Now, that’s something that you all have been concerned about in 
the past and have wanted it to be much narrower, but I suspect 
that as this gets more complicated and we deal with the state and 
Federal issues and states going off on their own, people naturally 
are going to start to look at this differently without going into all 
of the issues that that statement raises about whether it apply only 
to software downloaded to a user’s computer or to websites a user 
visits, there’s score of issues. 

Are you all moving generally in the direction of a general online 
privacy bill? 

Mr. Holleyman. We’re not in a position at this point to raise a 
general online privacy bill. We do think that there are very legiti- 
mate privacy issues that are being addressed in part in the mar- 
ketplace today and for most online experiences. But what we do 
think is, specifically, with regard to spyware is what we need to do 
is create a mechanism that dries up the market for information 
that’s obtained and exploited commercially, where there is not a 
clear understanding that such information can be sold and distrib- 
uted. 

Senator Wyden. I won’t belabor this, but other than the defini- 
tions about explicit permission, that sentence I read sure sounds 
like the predicate for a general online privacy bill, which takes us 
back to BurnsAVyden 1 and would, I think, be very much worth 
pursuing. Chairman Burns and I have done all of this in total lock 
step along the way, but we tried this years ago and I personally 
would be very excited if you and Mr. Berman possibly could guide 
the Committee back to what Chairman Burns and I tried to do 
years ago. We’re going to try and get this bill passed because I 
think we’ve seen tremendous unhappiness, but I’m sort of trying to, 
with all of you here, to sort of lay the groundwork, because when 
I read that sentence, it struck me, and I haven’t compared your 
testimony and everything else. That that was beyond where you all 
had been in the past and was sort of encouraged about the possi- 
bility that we might get the two of you to be a bulwark for — look 
at Jerry, he’s 

[Laughter.] 

Mr. Holleyman. I’d be happy to talk about this any time. 

Senator Wyden. I won’t belabor it. I was encouraged by it. One 
other technical kind of question, a security question for maybe you, 
for Dr. Levine and Mr. Berman. We haven’t talked a lot about it 
today, but certainly this issue of security risks with respect to 
downloaded software, I mean, even if the software isn’t malicious, 
isn’t is possible that well-meaning software could, in effect, leave 
the back door open, making the computer more vulnerable to vi- 
ruses and hackers? 

Dr. Levine. It happens all the time. 

Mr. Berman. In fact, it’s the vulnerability of computers that 
some of these spyware programs are exploiting, back door vulnera- 
bilities and creating security breaches of their own, so that’s some- 
thing that we have under study and which this working group is 
looking at, but it is certainly one of the reasons why, one of the mo- 
tivating reasons why we have to think about really closing these 
loopholes and closing this problem down. 
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Senator Wyden. That struck me as something that really hadn’t 
been mentioned, but we’re going to think of this primarily as some- 
thing that’s intrusive and violative of those who own computers, 
but also strikes me as opening up a real glide path for bad guys 
and an opportunity to have some real security vulnerabilities. 

Dr. Levine. I think a lot of what these programs do now should 
be, probably is illegal already under — in computer tampering laws, 
and it’s possible that it might be useful to have a statute that 
makes it more clear that this particular kind of tampering is what 
you contemplated in the existing tampering acts, so each case 
doesn’t have to come through and sort of educate the judge and say 
this sequence of events means you broke this law. 

But in general, yes, the security problems on users’ PCs are enor- 
mous and spyware jumps through some of them and causes others. 

Senator Wyden. Mr. Chairman, excellent hearing and I’m look- 
ing forward to working with you and like we’ve tried so often to 
sort of begin another journey and I look forward to doing it with 
you. 

Senator Burns. Well, and this may take more than four — I hope 
it takes less than 4 years, but at least we’re started. I want to reit- 
erate that SPY BLOCK requires notice and consent for four types 
of potentially damaging software, software which collects informa- 
tion about consumers and transmits to third parties over the Inter- 
net, adware providers are required to tell consumers what types of 
ads will pop up on users’ screen and what frequency. Software that 
modified user settings like changing their home page and software 
that uses distributed computing to use part of the computer proc- 
essing power in the background. 

You know, we’ve all time — Mr. Naider, and just one follow up 
and I thought about, you’ve given us a good scenario on your busi- 
ness, legitimate, run professionally. Give us an example of when 
you go too far. In other words, just give me an example. 

Mr. Naider. I’d be happy to. 

Senator Burns. Just for the record. 

Mr. Naider. Be happy to. A consumer installs a piece of software 
in the course of installing some other piece of software where 
there’s absolutely no visible disclosure, there’s some disclosure bur- 
ied perhaps six pages deep in the license agreement. Once on the 
desktop, there’s no visible indication to the consumer that they 
have that piece of software, whether it shows ads or not. It may 
show ads, whether it’s pop-ups or other types of ads, but there’s ab- 
solutely no indication to the consumer that those ads are coming 
from software. The consumer just wonders. Or if it doesn’t show 
ads, the software captures things like personal information or key- 
strokes or zip code location, et cetera. And then the consumer is 
not given any information about the software or how to uninstall 
it. 

These are things that we see every day in our business and we 
know that it exists and there’s a full spectrum of activity and we 
believe that that type of activity needs to be curtailed for the 
health of the industry, for the health of consumers’ computers, for 
the health of the industry as well. 

Senator Burns. Well, I know identify theft and of course credit 
card numbers are worth lots of money. 
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Mr. Naider. Absolutely. 

Senator Burns. And that’s where the bad guys come in. Thank 
you for your testimony today. We look forward to working with all 
of you. We’re going to leave the record open for the next 2 weeks 
and if there are questions from the other members of the Com- 
mittee, please respond to them and the Committee. Thank you for 
coming today and these hearings are closed. 

[Whereupon, at 4:07 p.m., the hearing was adjourned.] 
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